AZ-204 Exam - Question 265

Question

DRAG DROP-You have an Azure Virtual Machine (VM) named VM1 running Windows Server 2022 and an Azure Key Vault instance named kv1. You are developing a . NET application named App1 that you plan to deploy to VM1. You have the following requirements:•	App1 will require access to kv1. •	The identity used by App1 to access kv1 must be automatically deprovisioned when VM1 is deleted. You need to identify the procedure that will meet the requirements. Which three actions should you include in the procedure? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Examice · Accepted Answer

.

BrownieP · Answer

the given answer is correct.

dac15e0 · Answer

I think the anwser is:
Create a system-assigned managed identity for the VM.
Modify the access policy on kv1.
Retrieve an access token from the Azure Instance Metadata Service (IMDS) endpoint.

gfanco · Answer

1. Create a system-assigned managed identity
This ensures the identity is tied to the VM and deleted with it.

2. Modify access policy on kv1 
Before App1 can read or write secrets, you must add an Access Policy to kv1, assigning the VM principal the permissions (e.g. get, list).
https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy?tabs=azure-portal

3. Retrieve access token via IMDS
App1 makes an HTTP call to the local metadata endpoint (http://169.254.169.254/metadata/identity/oauth2/token?resource=https://{vault-name}.vault.azure.net&api-version=...) to get an access token for the Key Vault resource.
https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token

AZ-204 Exam - Question 265

Discussion