I recently came across an issue where a user-assigned managed identity on a VM was not able to read the properties of the resource group where the VM object it was assigned to resided. As our deployment relied on these permissions being set it would fail until the permissions were added.
Normally, you could easily check this in the portal; however, in this case the user doing the deployment didn’t have portal access and had to rely on another person to add/remove the permissions. So they either had to go through the deployment and wait for it to fail or succeed or ping someone with portal access to go check the permissions.
In trying to determine a method for a user without portal access to verify the permissions, I came across this article, but it was geared towards system-assigned managed identities and required giving your virtual machines read rights on the resource group. Additionally, the article only states how to test the identity in Azure Commercial, which didn’t help me as my customer was in Azure Government.
Using this article as a general guide, I pieced together the following steps:
- Open a terminal session to the Linux VM that has the user-assigned managed identity assigned
- Run the following
curlcommand
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-
01&resource=https://management.usgovcloudapi.net/' -H Metadata:true
You should see output similar to the following
``{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik02cFg3UkhvcmFMc3ByZkplUkNqU3h1VVJoYyIsImtpZCI6Ik02cFg3UkhvcmFMc3ByZkplUkNqU3h1VVJoYyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQudXNnb3ZjbG91ZGFwaS5uZXQvIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOGEwOWYyZDctODQxNS00Mjk2LTkyYjItODBiYjQ2NjZjNWZjLyIsImlhdCI6MTU3MTMyNDkzOCwibmJmIjoxNTcxMzI0OTM4LCJleHAiOjE1NzEzNTQwMzgsImFpbyI6IlkyRmdZUENWemJuT3UzeWljWU9vR3Evbnd5ZGlBQT09IiwiYXBwaWQiOiJiNGQ4MDAzOS01YjU4LTQzZjAtYWZlNy00ZTI5NDI3MDk1YmQiLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84YTA5ZjJkNy04NDE1LTQyOTYtOTJiMi04MGJiNDY2NmM1ZmMvIiwib2lkIjoiNjIxMGZkOGMtNTYwZS00OTllLTlmYTItMWFlYjZiZmUyZjY0Iiwic3ViIjoiNjIxMGZkOGMtNTYwZS00OTllLTlmYTItMWFlYjZiZmUyZjY0IiwidGlkIjoiOGEwOWYyZDctODQxNS00Mjk2LTkyYjItODBiYjQ2NjZjNWZjIiwidXRpIjoibjZBX2RSUEIzRUt1a1lWYU1ISUVBQSIsInZlciI6IjEuMCIsInhtc19taXJpZCI6Ii9zdWJzY3JpcHRpb25zL2Q4YWJiNWZkLTlkMDAtNDhmZC04NjJhLTBmNzc4MzA2Y2NlNy9yZXNvdXJjZWdyb3Vwcy9BTlNJQkxFLVJHL3Byb3ZpZGVycy9NaWNyb3NvZnQuTWFuYWdlZElkZW50aXR5L3VzZXJBc3NpZ25lZElkZW50aXRpZXMvQW5zaWJsZS1NYW5hZ2VkSWQifQ.MDBjxDLSOLlZs3bbFVH9NjR2_qY4vqbFynXaqsxNcfsBLv8XXXFZPSqBBNk7Ig8hQoNAjOWjT9W0FYw_KzLzWpUs4O1fSsuuqvEzIfml1H2hDn4-I-6bHxC3Il_9wt6njaH4vj31lWXOtNhynOaNl9jPuz4jAOJtbVlMR7ryCa9gZz3f_RCr3ShhkSpXmRU2RP-9c4KbLxSxr3ZYDyuHZ6u66PnDrX5-CyoMUKem3FBSsC29DZURaAMbjYr62gT9HJc7tYuXYvjBuG12suvHslLg1yWfFPxS5Td0pxSZMnc8JdonveOI5MmcW6FySi-5v7JNwH8yf7adr-eHYq0AcQ",
"client_id": "b4d80039-5b58-43f0-afe7-4e29427095bd",
"expires_in": "28800",
"expires_on": "1571354038",
"ext_expires_in": "28800",
"not_before": "1571324938",
"resource": "https://management.usgovcloudapi.net/",
"token_type": "Bearer"
}``
- From the output, copy the access token portion, which will leave us with this
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik02cFg3UkhvcmFMc3ByZkplUkNqU3h1VVJoYyIsImtpZCI6Ik02cFg3UkhvcmFMc3ByZkplUkNqU3h1VVJoYyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQudXNnb3ZjbG91ZGFwaS5uZXQvIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOGEwOWYyZDctODQxNS00Mjk2LTkyYjItODBiYjQ2NjZjNWZjLyIsImlhdCI6MTU3MTMyNDkzOCwibmJmIjoxNTcxMzI0OTM4LCJleHAiOjE1NzEzNTQwMzgsImFpbyI6IlkyRmdZUENWemJuT3UzeWljWU9vR3Evbnd5ZGlBQT09IiwiYXBwaWQiOiJiNGQ4MDAzOS01YjU4LTQzZjAtYWZlNy00ZTI5NDI3MDk1YmQiLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84YTA5ZjJkNy04NDE1LTQyOTYtOTJiMi04MGJiNDY2NmM1ZmMvIiwib2lkIjoiNjIxMGZkOGMtNTYwZS00OTllLTlmYTItMWFlYjZiZmUyZjY0Iiwic3ViIjoiNjIxMGZkOGMtNTYwZS00OTllLTlmYTItMWFlYjZiZmUyZjY0IiwidGlkIjoiOGEwOWYyZDctODQxNS00Mjk2LTkyYjItODBiYjQ2NjZjNWZjIiwidXRpIjoibjZBX2RSUEIzRUt1a1lWYU1ISUVBQSIsInZlciI6IjEuMCIsInhtc19taXJpZCI6Ii9zdWJzY3JpcHRpb25zL2Q4YWJiNWZkLTlkMDAtNDhmZC04NjJhLTBmNzc4MzA2Y2NlNy9yZXNvdXJjZWdyb3Vwcy9BTlNJQkxFLVJHL3Byb3ZpZGVycy9NaWNyb3NvZnQuTWFuYWdlZElkZW50aXR5L3VzZXJBc3NpZ25lZElkZW50aXRpZXMvQW5zaWJsZS1NYW5hZ2VkSWQifQ.MDBjxDLSOLlZs3bbFVH9NjR2_qY4vqbFynXaqsxNcfsBLv8XXXFZPSqBBNk7Ig8hQoNAjOWjT9W0FYw_KzLzWpUs4O1fSsuuqvEzIfml1H2hDn4-I-6bHxC3Il_9wt6njaH4vj31lWXOtNhynOaNl9jPuz4jAOJtbVlMR7ryCa9gZz3f_RCr3ShhkSpXmRU2RP-9c4KbLxSxr3ZYDyuHZ6u66PnDrX5-CyoMUKem3FBSsC29DZURaAMbjYr62gT9HJc7tYuXYvjBuG12suvHslLg1yWfFPxS5Td0pxSZMnc8JdonveOI5MmcW6FySi-5v7JNwH8yf7adr-eHYq0AcQ
- Now run the following command, replacing SUBSCRIPTIONID, RESOURCEGROUP, and ACCESSTOKEN with the information relevant to your environment.
curl https://management.usgovcloudapi.net/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP?api-version=2016-09-01 -H "Authorization: Bearer ACCESSTOKEN"
In the above command, the RESOURCEGROUP parameter should be the name of the resource group that you’re testing read access on.
You should see the following output
{"id":"/subscriptions/SUBID/resourceGroups/RG","name":"RG","location":"usgovvirginia","tags":{},"properties":{"provisioningState":"Succeeded"}}
If you see the below error, it means the managed identity does not have read access
{"error":{"code":"AuthorizationFailed","message":"The client '6210fd8c-560e-499e-9fa2-1aeb6bfe2f64' with object id '6210fd8c-560e-499e-9fa2-1aeb6bfe2f64' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/read' over scope '/subscriptions/SUBID/resourceGroups/RG' or the scope is invalid. If access was recently granted, please refresh your credentials."}}