I am trying to download a blob from a private container in a VM scale set custom script, using a managedIdentity. This is my terraform code:
# https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-linux#property-values
resource "azurerm_virtual_machine_scale_set_extension" "res-extension" {
depends_on = [
azurerm_storage_blob.example
]
name = "nn-extension"
virtual_machine_scale_set_id = module.vmss.vmss.id
publisher = "Microsoft.Azure.Extensions"
type = "CustomScript"
type_handler_version = "2.1"
protected_settings = jsonencode({
"fileUris" = ["${azurerm_storage_blob.example.url}"],
"commandToExecute" = "sh createfile.sh ; ls -al",
"managedIdentity" : { "objectId": module.vmss.vmss.identity.0.principal_id }
}
)
}
However, it fails with the message:
"Error message: \"Enable failed: processing file downloads failed: failed to download file[0]: failed to download response and write to file: /var/lib/waagent/custom-script/download/1/createfile: failed to create http request: Unable to get managed identity with object id 2c8.....8. Please make sure that the user assigned managed identity is added to the VM"
I checked in the portal, I have an active Managed Identity on the VM scale set, with matching principal ID.
When I change the setting to use 'clientId' instead of 'objectId' it throws a similar error.
So is it possible to use a Managed identity to download blobs? Or do I have to assign user assigned identities to individual VM instances in the scale set or something??
Anyone any experience with this?
Actually the answer was already in here: Azure VM Scaleset custom script extension not working - possibly failing to get VM identity?
When using managed identity pass an empty block:
"managedIdentity" : { }
Didn't read the docs well enough... https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/custom-script-windows#property-managedidentity