I am writing a script that logins into Azure, but I don’t want to use my password explicitly. Therefore I switched on a system assigned managed identity:
And now in a shell script I do this:
az login --identity --username xxx
‘xxx’ is the Object (principal) ID, on the screenshot
when I execute the command, I get this (replaced ip and ID with ‘xxx’):
Failed to connect to MSI. Please make sure MSI is configured correctly and check the network connection.
Error detail: HTTPConnectionPool(host='XXX.XXX.XXX.XXX', port=XX): Max retries exceeded with url: /metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01&client_id=xxx (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x04B7DB08>:
Failed to establish a new connection: [WinError 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond'))
EDIT: it is fine, when I run this command in Cloud-Shell on Azure portal.
Why can’t I login? Am I missing something?
>Solution :
A system assigned managed identity cannot be used to login. It is explicitly tied to the service you created it for, and is not meant for re-use.
System-assigned. Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Azure AD. The identity is tied to the lifecycle of that service instance. When the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.
The most important part of that quote is the last sentence:
By design, only that Azure resource can use this identity to request tokens from Azure AD.
More information: What are managed identities for Azure resources?.
Also:
Can’t be shared.
It can only be associated with a single Azure resource.
EDIT:
Based on your question and the comment below you might be looking for a Service Principal. A managed identity, either system assigned or user assigned, is for use with an Azure resource.
Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources.
For more information on Service principals, see Create an Azure service principal with the Azure CLI.