RedHat Shadowman Logo

If you're running Red Hat Enterprise Linux server on Microsoft Azure, you may want to shut down and deallocate the VM using commands inside of the VM itself for automation or just for convenience. On Azure, if you shut down the VM by using shutdown -h or another OS command, it will stop but not deallocate it.  The stopped VM is still using resources and will continue to incur compute charges. To avoid that, this article shows how a VM can shut itself down and deallocate its resources using the Azure CLI 2.0.

Install Azure CLI 2.0

Since Azure CLI 2.0 is required, please install it as follows.

$ sudo rpm --import
$ sudo sh -c 'echo -e "[azure-cli]\nname=Azure CLI\nbaseurl=\nenabled=1\ngpgcheck=1\ngpgkey=" > /etc/yum.repos.d/azure-cli.repo'
$ sudo yum install azure-cli

Enable Managed Service Identity (Optional)

Managed Service Identity (MSI) is optional but recommended because it avoids storing the password within the VM. If you don't want to use MSI, please see the last section.

To enable MSI, you can use Azure CLI 2.0, Azure Portal, or other administration tools.

I enabled MSI using Azure CLI 2.0.

$ az vm identity assign -g tatanaka-ocp-filetest -n tatanaka-ocp-filetest

After enabling MSI, you have to assign the proper role to the MSI-enabled VM.

I assigned the Virtual Machine Contributor role with the scope of the VM itself, so the VM has a privilege to manage only the VM itself. To accomplish this, use the first command below to show the resource ID of the VM. Use the second command below to show the service principal ID of the VM. Then use these values, respectively, in place of <vm_resource_id> and <sp_id> in the third command below.

$ az vm show -g  -n  --query id
$ az resource list -n  --query [*].identity.principalId --out tsv
$ az role assignment create --assignee  --role 'Virtual Machine Contributor' --scope

Deallocate Script

Now you can execute the az vm deallocate command within the VM as follows.

$ az login --msi
$ az vm deallocate -g -n

However, you have to specify resource group and name parameters in this command. To avoid that, let's use the Azure Instance Metadata service.

Here is the whole script to deallocate the VM.


response=$(curl -H Metadata:true "" -s)
resource_group=$(echo $response | python -c 'import sys, json; print (json.load(sys.stdin)["resourceGroupName"])')
vm_name=$(echo $response | python -c 'import sys, json; print (json.load(sys.stdin)["name"])')

az login --msi
az vm deallocate -g $resource_group -n $vm_name

Now, a user who can log in to the VM can deallocate this VM even though the user doesn't have Azure access.

Using Password Authentication

If you don't use MSI, you have to log in with a password, which means you have to store a password in the VM for noninteractive deallocation. To avoid storing the password of the Microsoft account, I strongly recommend creating an Azure service principal.

You can create a service principal and assign a role as follows.

$ az ad sp create-for-rbac --name  --password 
$ az vm show -g  -n  --query id
$ az role assignment create --assignee  --role 'Virtual Machine Contributor' --scope

In the deallocate script, replace the --msi option with the following:

az login --service-principal -u  -p  --tenant
Last updated: January 18, 2022