Question posted in 
I’m wanting to connect a On-Prem VM to Azure KeyVault. I have installed the Azure Arc Agent successfully and can see the VM under ARC Machines in Azure.
However when I go to request the API token as per here I receive the following error..
PS C:Userstasks> Invoke-WebRequest -Method GET -Uri $endpoint -Headers @{Metadata='True'} -UseBasicParsing
Invoke-WebRequest :
Runtime Error
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Consolas","Lucida Console",Monospace;font-size:11pt;margin:0;padding:0.5em;line-height:14pt}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:pointer; }
@media screen and (max-width: 639px) {
pre { width: 440px; overflow: auto; white-space: pre-wrap; word-wrap: break-word; }
}
@media screen and (max-width: 479px) {
pre { width: 280px; }
}
Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could,
however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the
current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".
I think the error is related to either IDENTITY_ENDPOINT or the URL.
Any suggestions on how I request a TOKEN from a ARC connected VM?
Thanks in Advanced.
Shane
Here is the Code from the above site..
$apiVersion = "2020-06-01"
$resource = "https://management.azure.com/"
$endpoint = "{0}?resource={1}&api-version={2}" -f $env:IDENTITY_ENDPOINT,$resource,$apiVersion
$secretFile = ""
try
{
Invoke-WebRequest -Method GET -Uri $endpoint -Headers @{Metadata='True'} -UseBasicParsing
}
catch
{
$wwwAuthHeader = $_.Exception.Response.Headers["WWW-Authenticate"]
if ($wwwAuthHeader -match "Basic realm=.+")
{
$secretFile = ($wwwAuthHeader -split "Basic realm=")[1]
}
}
Write-Host "Secret file path: " $secretFile`n
$secret = cat -Raw $secretFile
$response = Invoke-WebRequest -Method GET -Uri $endpoint -Headers @{Metadata='True'; Authorization="Basic $secret"} -UseBasicParsing
if ($response)
{
$token = (ConvertFrom-Json -InputObject $response.Content).access_token
Write-Host "Access token: " $token
}
2
Answers
[Derived from comments on question]
To obtain a token for an Azure Arc-enabled server (physical or virtual) you need to enable Managed Identity on the server.
Arc-enabled servers do not display in the Virtual Machines resource category in the Portal. You will be able to see a list of servers in:
Portal -> Azure Arc -> Servers.Once you apply the settings, after a few moments, an identity will be sent to the Arc agent running on the server and the necessary environment variables will be set accordingly. You can then use the script to obtain an access token for authorisation on other Azure resources.
@architect Jamie
Yes these are the instructions I have seen. However when I go to Azure ARC | Machines | and select the VM, I cannot see any setting regarding identity!
See Attached.
Thanks
Shane
Azure ARC Machine settings