azureazure-managed-identityazure-sdkazure-identity

Setting up Managed Identity authentication for Azure Storage Account


I have Azure Storage account Gen2 (Azure Datalake) on which I want to set MSI(Managed Identity) authentication. Goal is to access ADLS from the application which is using Azure SDK for CPP and which should use Azure::Identity::ManagedIdentityCredential.

My concerns is where I am doing wrong, Azure or Code?

I tried to use Azure::Identity::ManagedIdentityCredential using only client id for now.

On the Azure side I did exactly this.

  1. Created ADLS Gen2 account
  2. Created managed Identity
  3. Went back to ADLS Gen2 account -> Access Control (IAM) -> Add role assignment -> Role Storage Account Contributor -> Members Managed identity -> +Select members -> selected managed identity created in step 2
  4. Went back to the application, and for Client ID I have used the Client ID from Managed Identity

As result, request for GetToken timeout 3 times and it stops.


Solution

  • Managed Identity only works when your application runs on an Azure service that supports it.

    For example, on an Azure Virtual Machine, Managed Identity tokens are acquired from the Instance Metadata Service (IMDS) endpoint only accessible from inside the VM.

    Think about it. If you could get access to a Storage account by just knowing a GUID (the client ID), that would not be very secure, would it? ;)

    You'll need to use a credential that uses your user account, e.g. Azure CLI credential or Default Azure credential. Or register an application in Entra ID with a client secret/certificate and use the relevant credential for that.