Does Ansible support system-assigned managed identities when being run remotely on an Azure VM ?
For example, I’m running ansible locally, and updating the configuration of my VM that is running in Azure. During the configuration, I want the VM to pull a blob out of a storage account. I’ve given the VM the Appropriate RBAC permissions to do so. If I ssh to my VM and manually use the Azure CLI or AZCopy I can get the blob from the storage account.
My azure playbook has a task like the following.
- name: Get the install file from blobstorage
azure.azcollection.azure_rm_storageblob:
resource_group: devops-storage-account
storage_account_name: devoptestsa123
container: software
blob: devops-install-file
dest: /opt/devops/devops-install-file
auth_source: msi
I do have the MSILinuxExtension installed and I’ve validated it is working.
The error I get from Ansible is the following
"msg": "Failed to get MSI token: 'MSIAuthentication' object has no attribute 'get_token'. Please check whether your machine enabled MSI or grant access to any subscription."
There are multiple subscriptions, therefore I added a subscription_id
- name: Get the install file from blobstorage
azure.azcollection.azure_rm_storageblob:
resource_group: devops-storage-account
storage_account_name: devoptestsa123
container: software
blob: devops-install-file
dest: /opt/devops/devops-install-file
auth_source: msi
subscription_id=8d2565aa-b804-4bfc-ad8b-be29a6861f68
At least then the error message changes 
"msg": "Error getting storage account detail for devoptestsa123: (AuthorizationFailed) The client '6edd927a-519f-40f1-8d93-45437d9dc909' with object id '6edd927a-519f-40f1-8d93-45437d9dc909' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/0f849332-18f0-45f6-abf6-3bcd9058d3eb/resourceGroups/devops-storage-account/providers/Microsoft.Storage/storageAccounts/devoptestsa123' or the scope is invalid. If access was recently granted, please refresh your credentials.\nCode: AuthorizationFailed\nMessage: The client '6edd927a-519f-40f1-8d93-45437d9dc909' with object id '6edd927a-519f-40f1-8d93-45437d9dc909' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/0f849332-18f0-45f6-abf6-3bcd9058d3eb/resourceGroups/devops-storage-account/providers/Microsoft.Storage/storageAccounts/devoptestsa123' or the scope is invalid. If access was recently granted, please refresh your credentials."
The issue here is that Ansible shouldn’t need to perform a listKeys action because I expect Ansible to use RBAC. Is there some way to direct Ansible to not ListKeys ?
ansible --version
ansible [core 2.15.5]
config file = /Users/greg/.ansible.cfg
configured module search path = ['/Users/greg/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/8.5.0/libexec/lib/python3.11/site-packages/ansible
ansible collection location = /Users/greg/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin/ansible
python version = 3.11.6 (main, Oct 2 2023, 20:46:14) [Clang 14.0.3 (clang-1403.0.22.14.1)] (/opt/homebrew/Cellar/ansible/8.5.0/libexec/bin/python)
jinja version = 3.1.2
libyaml = True