Azure
[MSP Feature] CLI support for GalleryInVMAccessControlProfile/GalleryInVMAccessControlProfileVersion
Preconditions
- [x] No need to upgrade Python SDK or the Python SDK is ready.
Related command
Below are the proposed commands thats needs to be created for this task
🔐 GalleryInVmAccessControlProfile CLI Commands
Create
az sig in-vm-access-control-profile create \
--resource-group <string> \
--gallery-name <string> \
--name <string> \
--location <string> \
--os-type <string> \
--applicable-host-endpoint <string> \
[--description <string>]
Update
az sig in-vm-access-control-profile update \
--resource-group <string> \
--gallery-name <string> \
--name <string> \
[--description <string>] \
[--applicable-host-endpoint <string>]
Get
az sig in-vm-access-control-profile show \
--resource-group <string> \
--gallery-name <string> \
[--name <string>]
Delete
az sig in-vm-access-control-profile delete \
--resource-group <string> \
--gallery-name <string> \
--name <string>
🧩 GalleryInVmAccessControlProfileVersion CLI Commands
Create Local Config
az sig in-vm-access-control-profile-version config create \
--name <string> \
--mode <string> \
--default-access <string> \
--target-regions <region1> <region2> ... \
[--exclude-from-latest]
Add/Remove Privilege
az sig in-vm-access-control-profile-version config privilege add \
--name <string> \
--profile-version <local-config-name> \
--path <string> \
[--query-parameter <key=value>]
az sig in-vm-access-control-profile-version config privilege remove \
--name <string> \
--profile-version <local-config-name>
Add/Remove Role
az sig in-vm-access-control-profile-version config role add \
--name <string> \
--privileges <priv1> <priv2> ... \
--profile-version <local-config-name>
az sig in-vm-access-control-profile-version config role remove \
--name <string> \
--profile-version <local-config-name>
Add/Remove Identity
az sig in-vm-access-control-profile-version config identity add \
--name <string> \
[--user-name <string>] \
[--group-name <string>] \
[--exe-path <string>] \
[--process-name <string>]
az sig in-vm-access-control-profile-version config identity remove \
--name <string> \
--profile-version <local-config-name>
Add/Remove Role Assignment
az sig in-vm-access-control-profile-version config role-assignment add \
--role <string> \
--identities <id1> <id2> ... \
--profile-version <local-config-name>
az sig in-vm-access-control-profile-version config role-assignment remove \
--role <string> \
--profile-version <local-config-name>
Create Version
az sig in-vm-access-control-profile-version create \
--resource-group <string> \
--location <string> \
--gallery-name <string> \
--profile-name <string> \
--profile-version <local-config-name>
Update Version
az sig in-vm-access-control-profile-version update \
--resource-group <string> \
--gallery-name <string> \
--profile-name <string> \
--version-name <string> \
[--profile-version <local-config-name>] \
[--mode <string>] \
[--default-access <string>] \
[--target-regions <region1> <region2> ...] \
[--exclude-from-latest <true|false>]
Get Version
az sig in-vm-access-control-profile-version show \
--resource-group <string> \
--gallery-name <string> \
--profile-name <string> \
[--version-name <string>]
Delete Version
az sig in-vm-access-control-profile-version delete \
--resource-group <string> \
--gallery-name <string> \
--profile-name <string> \
--version-name <string>
Resource Provider
Microsoft.Compute
Description of Feature or Work Requested
PM doc: https://microsoft.sharepoint.com/:w:/r/teams/CPlat-PM/_layouts/15/Doc.aspx?sourcedoc=%7BDD02825F-7D23-4C67-B21C-6352733A8858%7D&file=Wire-Server%20Endpoint%20Security%20PM%20Spec.docx&action=default&mobileredirect=true&share=IQFfggLdI31nTLIcY1JzOohYAV82cMdRnCluKCTcaCyt91E
GalleryInVMAccessControlProfile is part of the MSP (Managed Service Provider) security feature, which is a critical component with visibility from Charlie Bell, Scott Guthrie, and Arun Kishan. This feature enables customers to assign roles and privileges to processes or services that communicate with the IMDS (Instance Metadata Service) and WireServer endpoints, thereby significantly enhancing the security of VM metadata access.
The IMDS and WireServer endpoints handle approximately 700,000 requests per second, making their protection crucial. While we have developed this capability for internal customers, we now need to provide a CLI-based experience for third-party (3P) customers to comply with Microsoft policy.
Minimum API Version Required
2024-03-03
Swagger PR link / SDK link
PR1: https://github.com/Azure/azure-rest-api-specs/pull/30504 PR2: https://github.com/Azure/azure-rest-api-specs/pull/31254
Swagger doc Link: https://learn.microsoft.com/en-us/dotnet/api/azure.resourcemanager.compute.models.galleryinvmaccesscontrolprofileproperties?view=azure-dotnet
Request Example
GalleryInVMAccessControlProfile: https://learn.microsoft.com/en-us/rest/api/compute/gallery-in-vm-access-control-profiles/create-or-update?view=rest-compute-2025-02-01&tabs=HTTP
GalleryInVMAccessControlProfileVersion: https://learn.microsoft.com/en-us/rest/api/compute/gallery-in-vm-access-control-profile-versions/create-or-update?view=rest-compute-2025-02-01&tabs=HTTP
Target Date
2025-07-11
PM Contact
Engineer Contact
Additional context
Python SDK list https://github.com/azure-sdk/azure-sdk-for-python/pull/9256
May I ask what the corresponding API path, http method and resource of the following command?
Create Local Config
az sig in-vm-access-control-profile-version config create \ --name <string> \ --mode <string> \ --default-access <string> \ --target-regions <region1> <region2> ... \ [--exclude-from-latest]
I noticed that there are additional arguments, such as --default-access, in the az sig in-vm-access-control-profile-version create command that were not mentioned above. Would these arguments be visible or accessible to customers?
I noticed that there is an array object TargetRegion mapped to the --target-regions argument. Could you please clarify which property within that array the --target-regions option corresponds to? Is it the name field?
Update Version
az sig in-vm-access-control-profile-version update \ --resource-group <string> \ --gallery-name <string> \ --profile-name <string> \ --version-name <string> \ [--profile-version <local-config-name>] \ [--mode <string>] \ [--default-access <string>] \ [--target-regions <region1> <region2> ...] \ [--exclude-from-latest <true|false>]
az sig in-vm-access-control-profile-version config create
--name
--mode
--default-access
--target-regions
[--exclude-from-latest]
This command is not to make any Http request; It is to create an object of GalleryInVMccessControlProfileVersion, We wanted to first create these object and then use it as a payload (one of the parameter) for create and update commands. We wanted to do this way, because GalleryInVMAccessControlProfileVersion is big object and we cannot expect customer to give big json object as a input for all times.
I noticed that there are additional arguments, such as --default-access, in the az sig in-vm-access-control-profile-version create command that were not mentioned above. Would these arguments be visible or accessible to customers?
Answer: Default-access is property which are frequently updated by customer, thats why we have given a direct way to do only this property update via update commands.
I noticed that there is an array object TargetRegion mapped to the --target-regions argument. Could you please clarify which property within that array the --target-regions option corresponds to? Is it the name field?
TargetRegions is complex object, but only the name property is required from the customers that's why we are taking string array (To make it simple), underneath you need to map it to name of target regions
az sig in-vm-access-control-profile-version config create --name --mode --default-access --target-regions ... [--exclude-from-latest]
This command is not to make any Http request; It is to create an object of GalleryInVMccessControlProfileVersion, We wanted to first create these object and then use it as a payload (one of the parameter) for create and update commands. We wanted to do this way, because GalleryInVMAccessControlProfileVersion is big object and we cannot expect customer to give big json object as a input for all times.
Got it. One thing I'd like to add is that Azure CLI does not cache anything locally — it simply makes HTTP requests to the backend service based on the customer's input. Additionally, customers don’t need to provide a large JSON object, as Azure CLI maps their input to the appropriate backend JSON structure.
Therefore, I believe this command may not be necessary. Please let me know if you have any thoughts on this.
az sig in-vm-access-control-profile-version config create --name --mode --default-access --target-regions ... [--exclude-from-latest] This command is not to make any Http request; It is to create an object of GalleryInVMccessControlProfileVersion, We wanted to first create these object and then use it as a payload (one of the parameter) for create and update commands. We wanted to do this way, because GalleryInVMAccessControlProfileVersion is big object and we cannot expect customer to give big json object as a input for all times.
Got it. One thing I'd like to add is that Azure CLI does not cache anything locally — it simply makes HTTP requests to the backend service based on the customer's input. Additionally, customers don’t need to provide a large JSON object, as Azure CLI maps their input to the appropriate backend JSON structure.
Therefore, I believe this command may not be necessary. Please let me know if you have any thoughts on this.
Thats was one of the proposal, you can do on your way. at the end we want command to deploy the InVMAccessControlProfile. command should be following best practices
Create Version
az sig in-vm-access-control-profile-version create \ --resource-group <string> \ --location <string> \ --gallery-name <string> \ --profile-name <string> \ --profile-version <local-config-name>
Hi @Jaype-e is there any required arguments in the request body of "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/galleries/{galleryName}/inVMAccessControlProfiles/{inVMAccessControlProfileName}/versions/{inVMAccessControlProfileVersionName}" PUT method?
It seems that the properties cannot be empty:
Can you pls see the swagger changes to get which properties is required and which is optional
Thanks @Jaype-e for the reply.
I encountered an issue when I was trying to retrieve information about a gallery inVMAccessControlProfile version. The error message is as follows:
but I did create an inVMAccessControlProfile version resource:
{
"defaultAccess": "Allow",
"excludeFromLatest": false,
"id": "/subscriptions/6030fb9a-6ed7-4414-b379-afd558a954e6/resourceGroups/zytest/providers/Microsoft.Compute/galleries/gallery1/inVMAccessControlProfiles/zyProfile/versions/1.0.0",
"location": "westus",
"mode": "Audit",
"name": "1.0.0",
"provisioningState": "Succeeded",
"publishedDate": "2025-06-23T00:45:34.9374563+00:00",
"replicationStatus": {
"aggregatedState": "Completed",
"summary": [
{
"progress": 100,
"region": "westus",
"state": "Completed"
}
]
},
"resourceGroup": "zytest",
"targetLocations": [
{
"name": "westus"
}
],
"type": "Microsoft.Compute/galleries/inVMAccessControlProfiles"
}
Could you please help to take a look? Thanks!
there is issue with your get call, arm is not able to find the correct location. Your resource is in westus but you are maing get call from other regions that's why arm itself failing the request. pls see the arm logs here https://armprodeus.eastus.kusto.windows.net/Traces?query=H4sIAAAAAAAEAHXNMQrCMBQA0D2QO3w66RD55jdpUqzQwaFDQTAXSJMUM%2bhQgyJ4eDfp4gEezy0%2bpAf7wOualgRuGE8X149nOEL0JZV8SxuJUgnUQhIgtjW20uyUsmhsswV%2fjyt1%2bKeUXiv%2bC%2ftQ8jOX9xCh66Ca9pIISQsTwixqmrywjSGBsw02ovaKVMUZZ1%2bZcslnuAAAAA%3d%3d&web=0
Traces | where TIMESTAMP > datetime(2025-06-23 00:40:28.5590897) and TIMESTAMP < datetime(2025-06-23 00:56:28.5590897) | where ActivityId == "b1233036-8ccf-43ba-9783-0f9c9d06a535"
After discussed with @Jaype-e, currently the rules property is not updatable, so we would not support the az sig in-vm-access-control-profile-version config command group in this release and will support it when backend server is ready.