What's the recommended way to use a user-defined Managed Identity ?

Question

What's the recommended way to use a user-defined Managed Identity ?

FLOER, Clément 0

Hi,

I'm currently using the AzureML Python SDK v1 (Switching to v2 is not an option that I consider for the moment).

I'm trying to give read and write access to an AzureML job so it can access an Azure Table storage. The compute cluster is attached to a single user-assigned identity that has all the rights it needs. There is no system-assigned identity attached to this cluster.

I am actually able to get my code working using the ManagedIdentity credential by passing its client ID as an environment variable when I submit the job. Then I can instantiate the ManagedIdentityCredential within the Azure VM, like the following:


  client_id = os.getenv("CUSTOM_MANAGED_IDENTITY_CLIENT_ID")
  credential = ManagedIdentityCredential(client_id=client_id)
  table_service_client = TableServiceClient(
            endpoint=f"https://{storage_name}.table.core.windows.net",
            credential=credential,
   )

I'd like to find a better approach that uses the ManagedIdentity and that doesn't rely on environment variables, as I find them prone to errors.

Is there a way to dynamically retrieve the client_ids of the managed identities attached to the cluster within the running job? What is the recommended approach to use the ManagedIdentity within an Azure ML job?

Thanks for your help,

Marcin Policht 67,980 MVP Volunteer Moderator

AFAIK, you should be able to retrieve the client ID of the user-assigned managed identity from within the Azure ML job using the Azure Instance Metadata Service. You can query it using the requests library and extract the client ID of your UAMI.

For example:

import requests

IMDS_URL = "<IMDS_URL>"
headers = {"Metadata": "true"}

response = requests.get(IMDS_URL, headers=headers)
response.raise_for_status()
identity_info = response.json()

uami_client_id = list(identity_info["compute"]["userAssignedIdentities"].values())[0]["clientId"]

Once you have the client ID, you can use it with ManagedIdentityCredential from azure.identity and pass it to the TableServiceClient:

from azure.identity import ManagedIdentityCredential
from azure.data.tables import TableServiceClient

credential = ManagedIdentityCredential(client_id=uami_client_id)
table_service_client = TableServiceClient(
    endpoint=f"https://{storage_name}.table.core.windows.net",
    credential=credential,
)

You can wrap this logic into a helper function for convenience:

def get_uami_credential():
    import requests
    from azure.identity import ManagedIdentityCredential
    
    IMDS_URL = "http://169.254.169.254/metadata/identity?api-version=2018-02-01"
    headers = {"Metadata": "true"}
    resp = requests.get(IMDS_URL, headers=headers)
    resp.raise_for_status()
    identity_info = resp.json()
    uami_client_id = list(identity_info["compute"]["userAssignedIdentities"].values())[0]["clientId"]
    return ManagedIdentityCredential(client_id=uami_client_id)

Then use it like this:

credential = get_uami_credential()
table_service_client = TableServiceClient(
    endpoint=f"https://{storage_name}.table.core.windows.net",
    credential=credential,
)

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Aryan Parashar 3,380 Reputation points Microsoft External Staff Moderator

2025-11-25T07:07:45.9566667+00:00

Hi FLOER, Clément,
Please let me know if you're still facing any difficulty, I’m here to support you. If the solution worked for you, please accept the answer.

Thank you for reaching out to The Microsoft Q&A Portal.

1 answer

Your answer

Aryan Parashar 3,380 Reputation points Microsoft External Staff Moderator

2025-11-25T07:07:45.9566667+00:00

Hi FLOER, Clément,
Please let me know if you're still facing any difficulty, I’m here to support you. If the solution worked for you, please accept the answer.

Thank you for reaching out to The Microsoft Q&A Portal.

Answer 1

Hi FLOER, Clément,

Yes, you can absolutely use a userAssigned ManagedIdentity without relying on environment variables. I know this can be a bit confusing at first, so I hope the example below helps make things clearer. Here’s the code to retrieve all the user-assigned identities attached to a resource group:

from azure.identity import DefaultAzureCredential
from azure.mgmt.msi import ManagedServiceIdentityClient

subscription_id = "<subscription_id>"  # Replace with your subscription ID
credential = DefaultAzureCredential()
client = ManagedServiceIdentityClient(credential,subscription_id )
resource_group = "<resource_group_name>"  # Replace with your resource group name
for identity in client.user_assigned_identities.list_by_resource_group(resource_group):
    print(identity.id)

These are the dependencies: → pip install azure-mgmt-msi azure-identity

From here, you can integrate the identities into your code by filtering them based on whatever identifier fits your requirements.

Feel free to accept this as an answer if it helps.
Thank you for reaching out to The Microsoft Q&A Portal.

Share via

What's the recommended way to use a user-defined Managed Identity ?

1 answer

Your answer