Skip to content

[Feature]: Support system-assigned managed identity in VM/Arc Run Command cmdlets #27527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mvanhilst-msft opened this issue Apr 9, 2025 · 3 comments
Open

[Feature]: Support system-assigned managed identity in VM/Arc Run Command cmdlets #27527

mvanhilst-msft opened this issue Apr 9, 2025 · 3 comments
Assignees
@GabstaMSFT
Labels
Compute - VM customer-reported feature-request This issue requires a new behavior in the product in order be resolved. Service Attention This issue is responsible by Azure service team.

Comments

@mvanhilst-msft
Copy link

mvanhilst-msft commented Apr 9, 2025
edited
Loading

Description of the new feature

The {New,Update,Invoke}-AzConnectedMachineRunCommand and {Set,Invoke}-AzVmRunCommand cmdlets support using user-assigned managed identities to retrieve a script from Azure Storage via the -ScriptUriManagedIdentityClientId and -ScriptUriManagedIdentityObjectId parameters. It does not appear there is a way to use a system-assigned managed identity via these parameters.

The support for user-assigned managed identities in the ConnectedMachine cmdlets is great, except for one small problem: as far as I can tell, Arc servers still don't support user-assigned managed identities. So this feature is currently useless for those cmdlets.

The underlying VM and Arc RunCommand REST APIs supposedly supports system-assigned managed identities via the JSON payload:

{
  "location": "West US 2",
  "properties": {
    "source": {
      "scriptUri": "...",
      "scriptUriManagedIdentity": {}
    }
  }
}

scriptUriManagedIdentity: User-assigned managed identity that has access to scriptUri in case of Azure storage blob. Use an empty object in case of system-assigned identity.

https://learn.microsoft.com/en-us/rest/api/hybridcompute/machine-run-commands/create-or-update?view=rest-hybridcompute-2025-01-13&tabs=HTTP#machineruncommandscriptsource

However, when I try this via the -JsonString parameter, I receive "The request does not have sufficient information to complete the operation. Missing or invalid properties: ScriptUriManagedIdentity is not valid: Exactly one property should be populated between CientId and ObjectId.."

Proposed implementation details (optional)

It would be nice if we had a -ScriptUriManagedIdentity switch to simplify this.
@mvanhilst-msft mvanhilst-msft added feature-request This issue requires a new behavior in the product in order be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Apr 9, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added customer-reported needs-triage This is a new issue that needs to be triaged to the appropriate team. and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Apr 9, 2025
@isra-fel isra-fel added Compute - VM Service Attention This issue is responsible by Azure service team. and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Apr 10, 2025
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @Drewm3, @TravisCragg-MSFT, @nikhilpatel909, @sandeepraichura, @hilaryw29, @GabstaMSFT.

@mvanhilst-msft
Copy link
Author

I was able to confirm that the documentation is incorrect and the Arc RunCommand REST APIs do not support system-assigned managed identities at all. It is the REST API itself that is returning ScriptUriManagedIdentity is not valid: Exactly one property should be populated between CientId and ObjectId. Then, if I provide any GUID in ClientId/ObjectId (even though Arc doesn't support user-assigned managed identities), the REST API returns an error about being unable to connect to the managed identity IMDS (since the Arc implementation is at a different URL). It seems like a copy-paste job from the VM RunCommands without regard for the nuances of Arc.

In other words, the ScriptUri managed identity feature does not work at all in Arc RunCommands, even outside the scope of the Az PowerShell module.

Where should I submit this bug report?

@GabstaMSFT
Copy link
Member

@mvanhilst-msft thank you for your request, I am reviewing it with the dev team.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GabstaMSFT GabstaMSFT

Labels
Compute - VM customer-reported feature-request This issue requires a new behavior in the product in order be resolved. Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@isra-fel @GabstaMSFT @mvanhilst-msft