Preconditions
Related command
Below are the proposed commands thats needs to be created for this task
🔐 GalleryInVmAccessControlProfile CLI Commands
Create
az sig in-vm-access-control-profile create \
--resource-group <string> \
--gallery-name <string> \
--name <string> \
--location <string> \
--os-type <string> \
--applicable-host-endpoint <string> \
[--description <string>]
Update
az sig in-vm-access-control-profile update \
--resource-group <string> \
--gallery-name <string> \
--name <string> \
[--description <string>] \
[--applicable-host-endpoint <string>]
Get
az sig in-vm-access-control-profile show \
--resource-group <string> \
--gallery-name <string> \
[--name <string>]
Delete
az sig in-vm-access-control-profile delete \
--resource-group <string> \
--gallery-name <string> \
--name <string>
🧩 GalleryInVmAccessControlProfileVersion CLI Commands
Create Local Config
az sig in-vm-access-control-profile-version config create \
--name <string> \
--mode <string> \
--default-access <string> \
--target-regions <region1> <region2> ... \
[--exclude-from-latest]
Add/Remove Privilege
az sig in-vm-access-control-profile-version config privilege add \
--name <string> \
--profile-version <local-config-name> \
--path <string> \
[--query-parameter <key=value>]
az sig in-vm-access-control-profile-version config privilege remove \
--name <string> \
--profile-version <local-config-name>
Add/Remove Role
az sig in-vm-access-control-profile-version config role add \
--name <string> \
--privileges <priv1> <priv2> ... \
--profile-version <local-config-name>
az sig in-vm-access-control-profile-version config role remove \
--name <string> \
--profile-version <local-config-name>
Add/Remove Identity
az sig in-vm-access-control-profile-version config identity add \
--name <string> \
[--user-name <string>] \
[--group-name <string>] \
[--exe-path <string>] \
[--process-name <string>]
az sig in-vm-access-control-profile-version config identity remove \
--name <string> \
--profile-version <local-config-name>
Add/Remove Role Assignment
az sig in-vm-access-control-profile-version config role-assignment add \
--role <string> \
--identities <id1> <id2> ... \
--profile-version <local-config-name>
az sig in-vm-access-control-profile-version config role-assignment remove \
--role <string> \
--profile-version <local-config-name>
Create Version
az sig in-vm-access-control-profile-version create \
--resource-group <string> \
--location <string> \
--gallery-name <string> \
--profile-name <string> \
--profile-version <local-config-name>
Update Version
az sig in-vm-access-control-profile-version update \
--resource-group <string> \
--gallery-name <string> \
--profile-name <string> \
--version-name <string> \
[--profile-version <local-config-name>] \
[--mode <string>] \
[--default-access <string>] \
[--target-regions <region1> <region2> ...] \
[--exclude-from-latest <true|false>]
Get Version
az sig in-vm-access-control-profile-version show \
--resource-group <string> \
--gallery-name <string> \
--profile-name <string> \
[--version-name <string>]
Delete Version
az sig in-vm-access-control-profile-version delete \
--resource-group <string> \
--gallery-name <string> \
--profile-name <string> \
--version-name <string>
Resource Provider
Microsoft.Compute
Description of Feature or Work Requested
PM doc: https://microsoft.sharepoint.com/:w:/r/teams/CPlat-PM/_layouts/15/Doc.aspx?sourcedoc=%7BDD02825F-7D23-4C67-B21C-6352733A8858%7D&file=Wire-Server%20Endpoint%20Security%20PM%20Spec.docx&action=default&mobileredirect=true&share=IQFfggLdI31nTLIcY1JzOohYAV82cMdRnCluKCTcaCyt91E
GalleryInVMAccessControlProfile is part of the MSP (Managed Service Provider) security feature, which is a critical component with visibility from Charlie Bell, Scott Guthrie, and Arun Kishan. This feature enables customers to assign roles and privileges to processes or services that communicate with the IMDS (Instance Metadata Service) and WireServer endpoints, thereby significantly enhancing the security of VM metadata access.
The IMDS and WireServer endpoints handle approximately 700,000 requests per second, making their protection crucial. While we have developed this capability for internal customers, we now need to provide a CLI-based experience for third-party (3P) customers to comply with Microsoft policy.
Minimum API Version Required
2024-03-03
Swagger PR link / SDK link
PR1: Azure/azure-rest-api-specs#30504
PR2: Azure/azure-rest-api-specs#31254
Swagger doc Link: https://learn.microsoft.com/en-us/dotnet/api/azure.resourcemanager.compute.models.galleryinvmaccesscontrolprofileproperties?view=azure-dotnet
Request Example
GalleryInVMAccessControlProfile: https://learn.microsoft.com/en-us/rest/api/compute/gallery-in-vm-access-control-profiles/create-or-update?view=rest-compute-2025-02-01&tabs=HTTP
GalleryInVMAccessControlProfileVersion: https://learn.microsoft.com/en-us/rest/api/compute/gallery-in-vm-access-control-profile-versions/create-or-update?view=rest-compute-2025-02-01&tabs=HTTP
Target Date
2025-07-11
PM Contact
minnielahoti@microsoft.com
Engineer Contact
jagupta@microsoft.com
Additional context
Python SDK list azure-sdk/azure-sdk-for-python#9256
Preconditions
Related command
Below are the proposed commands thats needs to be created for this task
🔐 GalleryInVmAccessControlProfile CLI Commands
Create
Update
Get
Delete
🧩 GalleryInVmAccessControlProfileVersion CLI Commands
Create Local Config
Add/Remove Privilege
Add/Remove Role
Add/Remove Identity
Add/Remove Role Assignment
Create Version
Update Version
Get Version
Delete Version
Resource Provider
Microsoft.Compute
Description of Feature or Work Requested
PM doc: https://microsoft.sharepoint.com/:w:/r/teams/CPlat-PM/_layouts/15/Doc.aspx?sourcedoc=%7BDD02825F-7D23-4C67-B21C-6352733A8858%7D&file=Wire-Server%20Endpoint%20Security%20PM%20Spec.docx&action=default&mobileredirect=true&share=IQFfggLdI31nTLIcY1JzOohYAV82cMdRnCluKCTcaCyt91E
GalleryInVMAccessControlProfile is part of the MSP (Managed Service Provider) security feature, which is a critical component with visibility from Charlie Bell, Scott Guthrie, and Arun Kishan. This feature enables customers to assign roles and privileges to processes or services that communicate with the IMDS (Instance Metadata Service) and WireServer endpoints, thereby significantly enhancing the security of VM metadata access.
The IMDS and WireServer endpoints handle approximately 700,000 requests per second, making their protection crucial. While we have developed this capability for internal customers, we now need to provide a CLI-based experience for third-party (3P) customers to comply with Microsoft policy.
Minimum API Version Required
2024-03-03
Swagger PR link / SDK link
PR1: Azure/azure-rest-api-specs#30504
PR2: Azure/azure-rest-api-specs#31254
Swagger doc Link: https://learn.microsoft.com/en-us/dotnet/api/azure.resourcemanager.compute.models.galleryinvmaccesscontrolprofileproperties?view=azure-dotnet
Request Example
GalleryInVMAccessControlProfile: https://learn.microsoft.com/en-us/rest/api/compute/gallery-in-vm-access-control-profiles/create-or-update?view=rest-compute-2025-02-01&tabs=HTTP
GalleryInVMAccessControlProfileVersion: https://learn.microsoft.com/en-us/rest/api/compute/gallery-in-vm-access-control-profile-versions/create-or-update?view=rest-compute-2025-02-01&tabs=HTTP
Target Date
2025-07-11
PM Contact
minnielahoti@microsoft.com
Engineer Contact
jagupta@microsoft.com
Additional context
Python SDK list azure-sdk/azure-sdk-for-python#9256