How to use System Managed Identities on Azure VMs via MSI?

Does Ansible support system-assigned managed identities when being run remotely on an Azure VM ?

For example, I’m running ansible locally, and updating the configuration of my VM that is running in Azure. During the configuration, I want the VM to pull a blob out of a storage account. I’ve given the VM the Appropriate RBAC permissions to do so. If I ssh to my VM and manually use the Azure CLI or AZCopy I can get the blob from the storage account.

My azure playbook has a task like the following.

- name: Get the install file from blobstorage
  azure.azcollection.azure_rm_storageblob:
    resource_group: devops-storage-account
    storage_account_name: devoptestsa123
    container: software
    blob: devops-install-file
    dest: /opt/devops/devops-install-file
    auth_source: msi

I do have the MSILinuxExtension installed and I’ve validated it is working.

The error I get from Ansible is the following

    "msg": "Failed to get MSI token: 'MSIAuthentication' object has no attribute 'get_token'. Please check whether your machine enabled MSI or grant access to any subscription."

There are multiple subscriptions, therefore I added a subscription_id

- name: Get the install file from blobstorage
  azure.azcollection.azure_rm_storageblob:
    resource_group: devops-storage-account
    storage_account_name: devoptestsa123
    container: software
    blob: devops-install-file
    dest: /opt/devops/devops-install-file
    auth_source: msi
    subscription_id=8d2565aa-b804-4bfc-ad8b-be29a6861f68

At least then the error message changes :slight_smile:

    "msg": "Error getting storage account detail for devoptestsa123: (AuthorizationFailed) The client '6edd927a-519f-40f1-8d93-45437d9dc909' with object id '6edd927a-519f-40f1-8d93-45437d9dc909' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/0f849332-18f0-45f6-abf6-3bcd9058d3eb/resourceGroups/devops-storage-account/providers/Microsoft.Storage/storageAccounts/devoptestsa123' or the scope is invalid. If access was recently granted, please refresh your credentials.\nCode: AuthorizationFailed\nMessage: The client '6edd927a-519f-40f1-8d93-45437d9dc909' with object id '6edd927a-519f-40f1-8d93-45437d9dc909' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/0f849332-18f0-45f6-abf6-3bcd9058d3eb/resourceGroups/devops-storage-account/providers/Microsoft.Storage/storageAccounts/devoptestsa123' or the scope is invalid. If access was recently granted, please refresh your credentials."

The issue here is that Ansible shouldn’t need to perform a listKeys action because I expect Ansible to use RBAC. Is there some way to direct Ansible to not ListKeys ?

ansible --version
ansible [core 2.15.5]
  config file = /Users/greg/.ansible.cfg
  configured module search path = ['/Users/greg/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /opt/homebrew/Cellar/ansible/8.5.0/libexec/lib/python3.11/site-packages/ansible
  ansible collection location = /Users/greg/.ansible/collections:/usr/share/ansible/collections
  executable location = /opt/homebrew/bin/ansible
  python version = 3.11.6 (main, Oct  2 2023, 20:46:14) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/opt/homebrew/Cellar/ansible/8.5.0/libexec/bin/python)
  jinja version = 3.1.2
  libyaml = True