Azure-docs: az login --identity : No access was configured for the VM, hence no subscriptions were found
I spun up a new Windows VM from the az cli using a template. The template assigned a User Assigned Managed Identity to the VM. The UI confirms that it is indeed assigned. But when I try to login via the console on the VM, I get the following error:
az login --identity
No access was configured for the VM, hence no subscriptions were found
I have also tried passing in the user directly. The said identity has assigned permissions to our key vault and I have confirmed this as well.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 433e32dc-9881-cd09-92f5-2f967a3ad70e
- Version Independent ID: c41cd763-cc08-c63e-f020-7136767c7575
- Content: How to use managed identities for Azure resources on an Azure VM for sign in
- Content Source: articles/active-directory/managed-identities-azure-resources/how-to-use-vm-sign-in.md
- Service: active-directory
- Sub-service: msi
- GitHub Login: @MarkusVi
- Microsoft Alias: markvi
AlexisJackson
All 6 comments
@AlexisJackson Hi, could you please share the document you are referring to so that we can address it quick? Thank you.
YutongTie-MSFT
on 7 Aug 2019
@YutongTie-MSFT I was trying to use the assigned user identity to the VM following numerous examples. One being:
https://github.com/MicrosoftDocs/azure-docs/blob/dbce872763a7bd05f6ba605b0dc406cda0afa8ec/articles/active-directory/managed-identities-azure-resources/how-to-use-vm-sign-in.md#azure-cli
Another reference being another person's issue in this repo: https://github.com/MicrosoftDocs/azure-docs/issues/25019
AlexisJackson
on 7 Aug 2019
As another example, I've also referenced the docs here: https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-login
AlexisJackson
on 7 Aug 2019
I found the issue - the UMI has to have reader access to itself in order to be able to do az login --identity from the CLI on the VM it is assigned to.
AlexisJackson
on 7 Aug 2019
@AlexisJackson - I'm facing the similar issue. Can you let me know hoe exactly did you solve that? How did you provided reader access to the UMI itself?
chintanrp
on 26 Feb 2020
@chintanrp You have to go into the UMI resource, select "Access control" and add a Role assignment that grants Read access to the UMI in question. So as an example:
UMI = test-user-managed-identity
Role assignment on the above UMI would be to grant Read access to the same UMI, test-user-managed-identity.
Hope this helps!
AlexisJackson
on 26 Feb 2020
Related issues
mrdfuse
·
3Comments
bdcoder2
·
3Comments
Ponant
·
3Comments
JamesDLD
·
3Comments
spottedmahn
·
3Comments
Most helpful comment
I found the issue - the UMI has to have reader access to itself in order to be able to do
az login --identityfrom the CLI on the VM it is assigned to.