Azure VM Custom script extension identity access to Storage Account

In the custom script extension of a VM I want to execute this command:

#download azcopy from http://aka.ms/downloadazcopy  c:\azcopy login --identity  C:\azcopy copy https://mystorage.blob.core.windows.net/software C:\Temp --recursive  

But for this to work the identity of the VM need to be added as "Storage Blob Data Contributor". In terraform we could do it this way

resource"azurerm_role_assignment""role" {​​​​​​​​  scope= data.azurerm_storage_account.vault.id  role_definition_name="Storage Blob Data Contributor"  principal_id= azurerm_windows_virtual_machine.vm.identity.0.principal_id  }​​​​​​​​  

But if we do not use terraform and instead use Azure DevOps and ARM templates, how would you execute it ? Because the VM is not created yet to give identity access. Custom script extension is part of the creation.

https://stackoverflow.com/questions/65580635/azure-vm-custom-script-extension-identity-access-to-storage-account January 05, 2021 at 10:18PM