PS-azmi PowerShell module simplifies operations against Azure cloud โ resources, like storage accounts and key vaults. Authentication is done via Managed Identity which is assigned to host virtual machine, completely transparently for logged in user or a running script. Your code can be absolutely free of any secrets, you do not even need to store user names!
The biggest difference between these and other Azure commands is that these do not require additional commands for Azure authentication, like Login-AzAccount or similar.
Read more about Azure Managed Identities at MS Docs web site.
This PowerShell module is written in C# and compiled with .NET 5.0. It is targeting PowerShell version 7.
PS-azmi is pronounced "AH - z - m - ee" and it stands for AZure Managed Identity.
In order to use commands from this module you need to setup your environment. This is where all magic (transparent authorization and authentication) is actually happening. You need a VM and a target resource that you want to access, like Storage Account or Key Vault.
If you need more info, take a look at environment setup page. Briefly, you can assign access in two ways:
-
System Assigned Managed Identity - On target resource, just assign access to your VM. More info here.
-
Using User Assigned Managed Identity - Create new managed identity and assign it to your VM. On target resource grant appropriate access rights to the identity. If you want to assign the same access to multiple VMs, this is the preferred method.
Then, inside your Azure VM install this module
Install-Module azmi -Scope CurrentUser -Repository PSGallery
# or
git clone https://github.com/iricigor/PS-azmi
Import-Module PS-azmi/azmi.psd1And that is all! Now you can use commands from the module, and authentication will be done transparently
Get-AzmiToken -JWTFormat
Get-AzmiBlobList "$StorageAccount/azmi-ls"
Get-AzmiBlobContent "$StorageAccount/azmi/azmi.txt"
For more examples, see use cases page.
The following commandlets are implemented or planned:
- ๐ Common
-
Get-AzmiToken- Obtains Azure authentication token for use in commands outside of this module
-
- ๐พ Blob
-
Get-AzmiBlobList- List all blobs from container -
Get-AzmiBlobContent- Downloads one or more storage blobs to a local file -
Set-AzmiBlobContent- Uploads a local file or directory to an Azure Storage blob or container
-
- ๐ Key Vault
-
Get-AzmiSecret- Gets the secrets from Azure Key Vault -
Set-AzmiSecret- Creates or updates a secret in a Azure Key Vault -
Get-AzmiCertificate- Gets the certificate from Azure Key Vault -
Set-AzmiCertificate- Creates or updates a certificate in a Azure Key Vault
-
All commands support argument -Identity (managed identity client ID), which can be skipped if VM has exactly one managed identity.
All commands support also argument -Verbose, which will produce additional output about commandlet execution to verbose output stream.
For more information on a specific command check their respective web pages
- Module overview
- Get-AzmiToken
- Get-AzmiBlobList
- Get-AzmiBlobContent
- Set-AzmiBlobContent
- Get-AzmiSecret
- Get-AzmiCertificate
PS azmi project homepage is on GitHub - https://github.com/iricigor/PS-azmi
Project is based on a azmi Linux CLI project - https://github.com/SRE-PRG/azmitool
You can find it also on PS Gallery - https://www.powershellgallery.com/packages/azmi
Related documentation links:
- How to write a PowerShell cmdlet at MS Docs web site
- Azure Managed Identities at MS Docs web site
- Pester - testing framework documentation at netlify.app
- PlatyPS - external Help and Markdown authoring at GitHub
Testing this module presents a challenge, because traditional pipelines do not support managed identity. Therefore, it is required to have a private pipeline agent on a dedicated ADO pool for module integration testing.
| Test | Status | Results |
|---|---|---|
| Integration tests |  |
|
| Unit tests |  |
- Module is currently not running on Windows Powershell, see issue #30