AzCopy with Azure Arc and Managed Identity

How to use AzCopy with Azure Arc to access Azure resources with Managed Identity authentication

AzCopy is a command-line tool that allows you to copy files to and from Azure storage accounts. It supports different authentication methods, such as device code, service principal, or managed identity. In this blog post, we will explore how to use AzCopy with Azure Arc, a service that extends Azure management and services to any infrastructure. By using Azure Arc, you can enable a managed identity on a machine that is not in Azure, such as a desktop or a server on-premises. This way, you can use AzCopy to access Azure resources without storing any credentials on the machine, or inside of scripts in plain text.

What is Azure Arc?

Azure Arc is a service that allows you to manage and govern your hybrid cloud environment from a single place. You can use Azure Arc to deploy Azure services and policies to any infrastructure, such as on-premises, edge, or multi-cloud. Azure Arc also enables you to assign a managed identity to any machine that is connected to Azure, regardless of its location. A managed identity is a type of identity that is managed by Azure and does not require you to create or manage any credentials. You can use a managed identity to authenticate to Azure services and resources that support Azure Active Directory (AAD).

What is AzCopy?

AzCopy is a command-line tool that allows you to copy files to and from Azure storage accounts, such as blob storage, file storage, or table storage. You can use AzCopy to perform various operations, such as uploading, downloading, synchronizing, or deleting files. AzCopy supports different authentication methods, depending on the type of storage account and the source and destination of the files. For example, you can use a device code, a service principal, or a managed identity to authenticate to Azure storage accounts that support AAD. You can also use a shared access signature (SAS) token or an account key to authenticate to Azure storage accounts that do not support AAD.

Authorize access to blobs & files with AzCopy & Microsoft Entra ID | Microsoft Learn

How to use AzCopy with Azure Arc and Managed Identity?

To use AzCopy with Azure Arc and managed identity, you need to do the following steps:

  • Enable Azure Arc on the machine that you want to use AzCopy from. You can follow the instructions and prerequisites here to enable Azure Arc on Windows or Linux machines.
  • Grant the Arc enabled machine’s managed identity the appropriate permissions to access the Azure storage account that you want to use AzCopy with. When assigning the managed identity, use the section Machines – Azure Arc to choose the machine to assign a role to at the storage account level or the container level.
A screenshot of a computer

Description automatically generated
  • If you are using a PowerShell script to execute the AzCopy commands, Set the environment variable $Env:AZCOPY_AUTO_LOGIN_TYPE=”MSI” in any of the scripts where AzCopy is used. This will tell AzCopy to use the managed identity as the authentication method.

Example:

$Env:AZCOPY_AUTO_LOGIN_TYPE="MSI" 
.\azcopy list https://contoso.blob.core.windows.net
  • Use AzCopy to copy files to and from the Azure storage account. You can find the syntax and examples of AzCopy commands here.

By using AzCopy with Azure Arc and managed identity, you can benefit from the following advantages:

  • You do not need to store any credentials on the machine that you use AzCopy from, which reduces the risk of credential leakage or compromise.
  • You can centrally manage and audit the access and permissions of the managed identity from Azure, which simplifies the governance and compliance of your hybrid cloud environment.
  • You can leverage the features and capabilities of Azure Arc, such as policy enforcement, monitoring, and security, to enhance the management and security of your hybrid cloud environment.

In conclusion, AzCopy is a powerful tool that allows you to copy files to and from Azure storage accounts. By using Azure Arc, you can enable a managed identity on any machine that is connected to Azure and use it to authenticate to Azure storage accounts that support AAD. This way, you can use AzCopy with Azure Arc and managed identity to access Azure resources without storing any credentials on the machine or hardcoded secrets inside of scripts.

About the author

Jeff Pigott is a Senior Cloud Solution Architect at Microsoft, specializing in Azure Infrastructure technologies including Azure Arc, Azure Update Manager, SQL DB, security, and storage. With over 29 years of experience in IT, development, and DevOps, Jeff has worked with a wide range of platforms, tools, and languages. Jeff is passionate about staying up-to-date with the latest Microsoft technologies and services, and holds multiple Azure certifications.