services	platforms	author
resources	ruby	vishrutshah

Manage resources using Managed Service Identity using Ruby

This sample demonstrates how to manage Azure resources via Managed Service Identity using the Ruby SDK.

On this page

• Create an Azure VM with MSI extension
• Run this sample
• What does example.rb do?
  • Create a System Assigned MSI Token Provider
  • Create a User Assigned MSI Token Provider
  • Create a resource client
  • Create an Azure Vault
  • Delete an Azure vault

Create an Azure VM with MSI extension

Azure Compute VM with MSI

Run this sample

1. log in to the above Azure virtual machine which has MSI service running and then follow the steps on that VM.

2. If you don't already have it, install Ruby and the Ruby DevKit.

3. If you don't have bundler, install it.

   gem install bundler
   

4. Clone the repository.

   git clone https://github.com/Azure-Samples/resources-ruby-manage-resources-with-msi.git
   

5. Install the dependencies using bundler.

   cd resources-ruby-manage-resources-with-msi
   bundle install
   

6. Set the following environment variables.

   export AZURE_TENANT_ID={your tenant id}
   export AZURE_SUBSCRIPTION_ID={your subscription id}
   export RESOURCE_GROUP_NAME={name of the resource group}    
   

   [AZURE.NOTE] On Windows, use set instead of export.

7. As of 04/04/2018, there are 2 supported ways to get MSI Token.

   • Using the extension installed locally and accessing http://localhost:50342/oauth2/token to get the MSI Token
   • Accessing the http://169.254.169.254/metadata/identity/oauth2/token to get the MSI Token (default)

   Usually, you do not have to worry about the way you get the MSI token. If you would like to access the token specifically using the first approach, then set the environment variable 'MSI_VM' to true as:

   export MSI_VM=true
   

   [AZURE.NOTE] On Windows, use set instead of export.

8. Run the sample.

   bundle exec ruby example.rb
   

What does example.rb do?

Initialize subscription_id, tenant_id, resource_group_name and port from environment variables.

subscription_id = ENV['AZURE_SUBSCRIPTION_ID'] || '11111111-1111-1111-1111-111111111111'
tenant_id = ENV['AZURE_TENANT_ID']
resource_group_name = ENV['RESOURCE_GROUP_NAME']
port = ENV['MSI_PORT'] || 50342 # If not provided then we assume the default port

Create a System Assigned MSI Token Provider

We can create token credential using MSITokenProvider with System Assigned Identity:

# Create System Assigned MSI token provider
provider = MsRestAzure::MSITokenProvider.new

Create a User Assigned MSI Token Provider

To create a User Assigned Identity, you would need to provide a reference to your User Assigned object in order to create an instance. You can provide a client_id, an object_id (Active Directory IDs) or the MSI resource id that must conform to: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msiname

The fastest way to get a client_id is to use the CLI 2.0: az identity show -g myR -n myMSi

You can get the object_id using the az ad sp show --id <client_id> command, or througth the Azure Portal in the Active Directory section.

You can also use the azure_mgmt_msi package.

    # Create User Assigned MSI token provider using client_id
    provider = MsRestAzure::MSITokenProvider.new(port, settings,  {:client_id => '00000000-0000-0000-0000-000000000000' })

or object_id:

    # Create User Assigned MSI token provider using object_id
    provider = MsRestAzure::MSITokenProvider.new(port, settings,  {:object_id => '00000000-0000-0000-0000-000000000000' })

or msi_res_id:

    # Create User Assigned MSI token provider using msi_res_id
    provider = MsRestAzure::MSITokenProvider.new(port, settings,  {:msi_res_id => '/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msiname'})

Then, obtain credentials with the obtained provider:

credentials = MsRest::TokenCredentials.new(provider)

Create a resource client

Now, we will create a resource management client using Managed Service Identity token provider.

client = Azure::ARM::Resources::ResourceManagementClient.new(credentials)
client.subscription_id = subscription_id

Create an Azure Vault

Now, we will create an Azure key vault account using MSI authenticated resource client. This Azure Key Vault account resource is identical to normal account but it is just created under the resource group where MSI enabled Azure VM has the permission to create resources.

puts 'Creating key vault account with MSI Identity...'
key_vault_params = Azure::ARM::Resources::Models::GenericResource.new.tap do |rg|
  rg.location = WEST_US
  rg.properties = {
      sku: { family: 'A', name: 'standard' },
      tenantId: tenant_id,
      accessPolicies: [],
      enabledForDeployment: true,
      enabledForTemplateDeployment: true,
      enabledForDiskEncryption: true
  }
end

Delete an Azure vault

Now, we will delete key vault account created using this example. Please comment this out to keep the resources alive in you Azure subscription.

client.resources.delete(resource_group_name,
                          'Microsoft.KeyVault',
                          '',
                          'vaults',
                          KEY_VAULT_NAME,
                          '2015-06-01')