ARM MSI Apis
A resource can be assigned an identity (Managed Service Identity or MSI) along the same line as an AAD application can be assigned a service principal. This identity can be given RBAC to other resources in the same AAD tenant. The resource can then acquire a bearer token and use it to access other RBAC resources.
For Azure WebApps, a resource is a webapp. The MSI can be provisioned for a webapp as follow.
ARMClient.exe put "/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.Web/sites/{site}?api-version=2015-02-01" @payload.json
Example payload.json below
{
"location": "{location}",
"properties": { },
"identity": {
"Type": "SystemAssigned"
}
}Once done, two additional environment variables (MSI_ENDPOINT and MSI_SECRET) will be available to the webapp. Do use https://{scm_uri}/Env.cshtml to verify. These variables will be used for the webapp to get an MSI token.
It is a typical HTTP GET call to MSI_ENDPOINT. MSI_ENDPOINT will be local endpoint with port acl-ed, meaning the call can only be made from within a relevant webapp. A sample code can be found here. Simply compile, copy the resulting GetMSIToken.exe to Kudu Console of a relevant webapp and run it. This console app will output the jwt token and its metadata.
In order to use the jwt token to access other resources, we need to give RBAC permission to those resources. Simply navigate to RBAC or Access Control (IAM) blade of any resources and click Add. Select the Role and type the name of MSI which is in form of RN_{sitename} and Save.
You can use ARMClient to verify whether MSI token has access to the RBAC resource. First set ARMCLIENT_TOKEN env with the jwt token from GET MSI Token section. Then simply use ARMClient to call the ARM resource.