Test read rights for user-assigned managed identity on a Linux VM in Azure Gov

I recently came across an issue where a user-assigned managed identity on a VM was not able to read the properties of the resource group where the VM object it was assigned to resided. As our deployment relied on these permissions being set it would fail until the permissions were added.

Normally, you could easily check this in the portal; however, in this case the user doing the deployment didn’t have portal access and had to rely on another person to add/remove the permissions. So they either had to go through the deployment and wait for it to fail or succeed or ping someone with portal access to go check the permissions.

In trying to determine a method for a user without portal access to verify the permissions, I came across this article, but it was geared towards system-assigned managed identities and required giving your virtual machines read rights on the resource group. Additionally, the article only states how to test the identity in Azure Commercial, which didn’t help me as my customer was in Azure Government.

Using this article as a general guide, I pieced together the following steps:

  1. Open a terminal session to the Linux VM that has the user-assigned managed identity assigned
  2. Run the following curl command
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02- 
    01&resource=https://management.usgovcloudapi.net/' -H Metadata:true

You should see output similar to the following

``{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik02cFg3UkhvcmFMc3ByZkplUkNqU3h1VVJoYyIsImtpZCI6Ik02cFg3UkhvcmFMc3ByZkplUkNqU3h1VVJoYyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQudXNnb3ZjbG91ZGFwaS5uZXQvIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOGEwOWYyZDctODQxNS00Mjk2LTkyYjItODBiYjQ2NjZjNWZjLyIsImlhdCI6MTU3MTMyNDkzOCwibmJmIjoxNTcxMzI0OTM4LCJleHAiOjE1NzEzNTQwMzgsImFpbyI6IlkyRmdZUENWemJuT3UzeWljWU9vR3Evbnd5ZGlBQT09IiwiYXBwaWQiOiJiNGQ4MDAzOS01YjU4LTQzZjAtYWZlNy00ZTI5NDI3MDk1YmQiLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84YTA5ZjJkNy04NDE1LTQyOTYtOTJiMi04MGJiNDY2NmM1ZmMvIiwib2lkIjoiNjIxMGZkOGMtNTYwZS00OTllLTlmYTItMWFlYjZiZmUyZjY0Iiwic3ViIjoiNjIxMGZkOGMtNTYwZS00OTllLTlmYTItMWFlYjZiZmUyZjY0IiwidGlkIjoiOGEwOWYyZDctODQxNS00Mjk2LTkyYjItODBiYjQ2NjZjNWZjIiwidXRpIjoibjZBX2RSUEIzRUt1a1lWYU1ISUVBQSIsInZlciI6IjEuMCIsInhtc19taXJpZCI6Ii9zdWJzY3JpcHRpb25zL2Q4YWJiNWZkLTlkMDAtNDhmZC04NjJhLTBmNzc4MzA2Y2NlNy9yZXNvdXJjZWdyb3Vwcy9BTlNJQkxFLVJHL3Byb3ZpZGVycy9NaWNyb3NvZnQuTWFuYWdlZElkZW50aXR5L3VzZXJBc3NpZ25lZElkZW50aXRpZXMvQW5zaWJsZS1NYW5hZ2VkSWQifQ.MDBjxDLSOLlZs3bbFVH9NjR2_qY4vqbFynXaqsxNcfsBLv8XXXFZPSqBBNk7Ig8hQoNAjOWjT9W0FYw_KzLzWpUs4O1fSsuuqvEzIfml1H2hDn4-I-6bHxC3Il_9wt6njaH4vj31lWXOtNhynOaNl9jPuz4jAOJtbVlMR7ryCa9gZz3f_RCr3ShhkSpXmRU2RP-9c4KbLxSxr3ZYDyuHZ6u66PnDrX5-CyoMUKem3FBSsC29DZURaAMbjYr62gT9HJc7tYuXYvjBuG12suvHslLg1yWfFPxS5Td0pxSZMnc8JdonveOI5MmcW6FySi-5v7JNwH8yf7adr-eHYq0AcQ",
  "client_id": "b4d80039-5b58-43f0-afe7-4e29427095bd",
  "expires_in": "28800",
  "expires_on": "1571354038",
  "ext_expires_in": "28800",
  "not_before": "1571324938",
  "resource": "https://management.usgovcloudapi.net/",
  "token_type": "Bearer"
}``
  1. From the output, copy the access token portion, which will leave us with this

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik02cFg3UkhvcmFMc3ByZkplUkNqU3h1VVJoYyIsImtpZCI6Ik02cFg3UkhvcmFMc3ByZkplUkNqU3h1VVJoYyJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQudXNnb3ZjbG91ZGFwaS5uZXQvIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOGEwOWYyZDctODQxNS00Mjk2LTkyYjItODBiYjQ2NjZjNWZjLyIsImlhdCI6MTU3MTMyNDkzOCwibmJmIjoxNTcxMzI0OTM4LCJleHAiOjE1NzEzNTQwMzgsImFpbyI6IlkyRmdZUENWemJuT3UzeWljWU9vR3Evbnd5ZGlBQT09IiwiYXBwaWQiOiJiNGQ4MDAzOS01YjU4LTQzZjAtYWZlNy00ZTI5NDI3MDk1YmQiLCJhcHBpZGFjciI6IjIiLCJpZHAiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84YTA5ZjJkNy04NDE1LTQyOTYtOTJiMi04MGJiNDY2NmM1ZmMvIiwib2lkIjoiNjIxMGZkOGMtNTYwZS00OTllLTlmYTItMWFlYjZiZmUyZjY0Iiwic3ViIjoiNjIxMGZkOGMtNTYwZS00OTllLTlmYTItMWFlYjZiZmUyZjY0IiwidGlkIjoiOGEwOWYyZDctODQxNS00Mjk2LTkyYjItODBiYjQ2NjZjNWZjIiwidXRpIjoibjZBX2RSUEIzRUt1a1lWYU1ISUVBQSIsInZlciI6IjEuMCIsInhtc19taXJpZCI6Ii9zdWJzY3JpcHRpb25zL2Q4YWJiNWZkLTlkMDAtNDhmZC04NjJhLTBmNzc4MzA2Y2NlNy9yZXNvdXJjZWdyb3Vwcy9BTlNJQkxFLVJHL3Byb3ZpZGVycy9NaWNyb3NvZnQuTWFuYWdlZElkZW50aXR5L3VzZXJBc3NpZ25lZElkZW50aXRpZXMvQW5zaWJsZS1NYW5hZ2VkSWQifQ.MDBjxDLSOLlZs3bbFVH9NjR2_qY4vqbFynXaqsxNcfsBLv8XXXFZPSqBBNk7Ig8hQoNAjOWjT9W0FYw_KzLzWpUs4O1fSsuuqvEzIfml1H2hDn4-I-6bHxC3Il_9wt6njaH4vj31lWXOtNhynOaNl9jPuz4jAOJtbVlMR7ryCa9gZz3f_RCr3ShhkSpXmRU2RP-9c4KbLxSxr3ZYDyuHZ6u66PnDrX5-CyoMUKem3FBSsC29DZURaAMbjYr62gT9HJc7tYuXYvjBuG12suvHslLg1yWfFPxS5Td0pxSZMnc8JdonveOI5MmcW6FySi-5v7JNwH8yf7adr-eHYq0AcQ

  1. Now run the following command, replacing SUBSCRIPTIONID, RESOURCEGROUP, and ACCESSTOKEN with the information relevant to your environment.
curl https://management.usgovcloudapi.net/subscriptions/SUBSCRIPTIONID/resourceGroups/RESOURCEGROUP?api-version=2016-09-01 -H "Authorization: Bearer  ACCESSTOKEN"

In the above command, the RESOURCEGROUP parameter should be the name of the resource group that you’re testing read access on.

You should see the following output

{"id":"/subscriptions/SUBID/resourceGroups/RG","name":"RG","location":"usgovvirginia","tags":{},"properties":{"provisioningState":"Succeeded"}}

If you see the below error, it means the managed identity does not have read access

{"error":{"code":"AuthorizationFailed","message":"The client '6210fd8c-560e-499e-9fa2-1aeb6bfe2f64' with object id '6210fd8c-560e-499e-9fa2-1aeb6bfe2f64' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/read' over scope '/subscriptions/SUBID/resourceGroups/RG' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.