How to use Managed Identity to authenticate calls to Azure REST API using Azure SDK

Question

I've got a .NET 6 web API that is deployed as a web app in Azure. This API has a service that calls the Azure REST API to get a list of resources in our Azure. I'm using the Azure SDK with the following line to create the client:

var client = new ArmClient(new DefaultAzureCredential());

This is working fine in my local development environment (using my active directory account with high access levels), but when I deploy to Azure and a User Assigned Managed Identity is used, the only resource that is returned is the managed identity itself.

How do I configure the Managed Identity to be able to see all Azure resources?

Thanks.

I've tried giving the Managed Identity Reader permissions on the subscription level.

Answer 1

Under the hood, DefaultAzureCredential will attempt to use ManagedIdentityCredential when running in Azure. ManagedIdentityCredential will use a system-assigned managed identity by default. You can configure the credential type to use the user-assigned managed identity as follows:

var client = new ArmClient(new DefaultAzureCredential(
    new DefaultAzureCredentialOptions
    {
        ManagedIdentityClientId = userAssignedClientId
    }));