How to elevate the permissions of remote commands run on an Azure VM
Question
What's the best practices way of permissions elevation or run-as for when running remote commands on an Azure VM?
My commands are invoked via Azure DevOps task with BICEP/ARM template using "runCommands"
I have also tried powershell: Invoke-AzVMRunCommand
ref: https://docs.microsoft.com/en-us/powershell/module/az.compute/invoke-azvmruncommand?view=azps-8.0.0
Both result in the remote commands running as the computer account, on the remote VM.
I need to run commands as a user that is a member of a specific AD group.
What is the best practice way to elevate this to run as a specific user?
Ideally I want to avoid passing credentials through to the VM.
I'm currently experimenting with using the windows task scheduler - having a preconfigured task that runs a PowerShell script as the target users - and remotely triggering this task to run, but it doesn't feel right.
1 answers
solution1
1 2022-07-13 12:28:24
• The best practice to execute a powershell script without exposing the credentials on a remote Azure VM is by creating a managed identity for that VM and assigning it required permissions only to access other Azure resources or perform specific tasks . Also, please note that if managed identity is granted to an Azure Virtual Machine, a local administrator may be able to inherit from the permissions granted to this identity and gain access to Azure resources or execute a powershell script using that identity by acquiring a token through that managed identity .
To create a user-assigned managed identity and acquire a token using it , kindly follow the document link given below for this purpose: -
• Once the token is achieved using the 'Invoke-webrequest' command as stated above, then you can use that to login to the Azure VM and execute the script through powershell . For using managed identities on an Azure VM for sign-in, kindly refer to the below documentation link for details: -
Do keep the below points in mind while configuring the RBAC access and related permissions for managed identities : -
a) Remote access to Azure VM for local admin should be limited as much as possible .
b) Permissions granted to managed identities for VM should be as restrictive as possible (for example, avoid “Storage Account Contributor” and use “Storage Blob Data Contributor” to avoid accessing storage account keys) .
c) Ensure logging is enabled in this scenario to detect as early as possible any suspicious activities related to misuse of these credentials .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.