I am developing a command line tool which will work across different cloud platforms to read, start and stop (deallocate) virtual machines. I have this working in AWS with EC2 instances, using boto3, but I don’t understand how to achieve the same thing in Azure yet.

In AWS, I have an IAM user whose credentials are used for authentication within the SDK and which has restricted permissions, so nothing sensitive can be started or stopped.

In Azure, I was under the impression that the same thing was possible by assigning a custom role with limited permissions to a UAMI. However, so far, I have only been able to use the Python SDK for Azure by first using az login and signing in with my own credentials.

Is there a way to authenticate using only credentials from the UAMI (e.g. client_id, subscription_id, tenant_id) and have its permissions be the only ones available to the Python script I will write?

The best suggestion I have received so far is to authenticate using ManagedIdentityCredential() like so:

from azure.identity import ManagedIdentityCredential
client_id = <UAMI_client_id>
credential = ManagedIdentityCredential(client_id=client_id)

But this results in the following error, for me:

ImdsCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
ManagedIdentityCredential.get_token failed: ManagedIdentityCredential authentication unavailable, no response from the IMDS endpoint.
<some traceback>
azure.core.exceptions.ServiceRequestError: <urllib3.connection.HTTPConnection object at 0xffffb9a32110>: Failed to establish a new connection: [Errno 111] Connection refused

I assume this is because I am running my script from my local machine (in much the same way as users of my end product will) and this authentication method seems to be set up for code running within Azure’s own environment.

Is there anything similar I can use to authenticate without using any user-specific credentials?