Azurecloud~30 mins

Managed identities concept in Azure - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Using Managed Identities to Access Azure Storage

📖 Scenario: You are setting up an Azure virtual machine (VM) that needs to securely access an Azure Storage account without using passwords or keys.Managed identities allow the VM to authenticate to Azure services safely.

🎯 Goal: Build an Azure resource configuration that creates a VM with a system-assigned managed identity and grants it read access to a storage account.

📋 What You'll Learn

Create an Azure Storage account resource named storage_account.

Create an Azure Virtual Machine resource named vm with a system-assigned managed identity.

Create a role assignment that grants the VM's managed identity the Storage Blob Data Reader role on the storage account.

💡 Why This Matters

🌍 Real World

Managed identities help secure Azure resources by avoiding manual credential management. This project shows how to set up a VM that can access storage securely.

💼 Career

Understanding managed identities is essential for cloud engineers and architects to build secure and maintainable Azure infrastructure.

Progress0 / 4 steps

Create the Azure Storage Account resource

Create an Azure Storage account resource named storage_account with the SKU Standard_LRS and kind StorageV2.

Azure

# Your code here to create storage_account resource

Need a hint?

Use resource "azurerm_storage_account" "storage_account" { ... } with the specified properties.

Create the Azure Virtual Machine with system-assigned managed identity

Add an Azure Virtual Machine resource named vm with a system-assigned managed identity enabled by setting identity { type = "SystemAssigned" }.

Azure

resource "azurerm_storage_account" "storage_account" {
  name                     = "examplestorageacct"
  resource_group_name      = "example-resources"
  location                 = "eastus"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  kind                     = "StorageV2"
}

# Your code here to create vm resource with system-assigned identity

Need a hint?

Use identity { type = "SystemAssigned" } inside the VM resource block.

Create the role assignment for the VM's managed identity

Create an azurerm_role_assignment resource named vm_storage_role that assigns the Storage Blob Data Reader role to the VM's managed identity on the storage account. Use principal_id = azurerm_linux_virtual_machine.vm.identity.principal_id and scope = azurerm_storage_account.storage_account.id.

Azure

resource "azurerm_storage_account" "storage_account" {
  name                     = "examplestorageacct"
  resource_group_name      = "example-resources"
  location                 = "eastus"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  kind                     = "StorageV2"
}

resource "azurerm_linux_virtual_machine" "vm" {
  name                = "example-vm"
  resource_group_name = "example-resources"
  location            = "eastus"
  size                = "Standard_DS1_v2"
  admin_username      = "adminuser"
  network_interface_ids = ["/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/example-resources/providers/Microsoft.Network/networkInterfaces/example-nic"]
  admin_ssh_key {
    username   = "adminuser"
    public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC..."
  }

  identity {
    type = "SystemAssigned"
  }
}

# Your code here to create role assignment for vm's managed identity

Need a hint?

Use azurerm_role_assignment with principal_id from the VM's managed identity and scope set to the storage account's ID.

Complete the configuration with resource group and network interface references

Add the resource_group_name variable set to "example-resources" and define a network interface resource named example-nic with the same resource group and location. Reference this network interface ID in the VM's network_interface_ids property.

Azure

resource "azurerm_storage_account" "storage_account" {
  name                     = "examplestorageacct"
  resource_group_name      = "example-resources"
  location                 = "eastus"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  kind                     = "StorageV2"
}

resource "azurerm_network_interface" "example-nic" {
  # Your code here to create network interface
}

resource "azurerm_linux_virtual_machine" "vm" {
  name                = "example-vm"
  resource_group_name = "example-resources"
  location            = "eastus"
  size                = "Standard_DS1_v2"
  admin_username      = "adminuser"
  network_interface_ids = [azurerm_network_interface.example-nic.id]
  admin_ssh_key {
    username   = "adminuser"
    public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC..."
  }

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_role_assignment" "vm_storage_role" {
  scope                = azurerm_storage_account.storage_account.id
  role_definition_name = "Storage Blob Data Reader"
  principal_id         = azurerm_linux_virtual_machine.vm.identity.principal_id
}

Need a hint?

Define a resource group variable and create a network interface resource. Reference the NIC ID in the VM's network_interface_ids.