While working one of the Azure project, I had a requirement to implement System Assigned Managed Identity to access Azure key vault secret programatically on Azure virtual machine inside the code without azure login. In my earlier written articles, to retrieve secret password from Azure Key Vault I was first logging in to Azure using username password, but I can bypass the Azure login to get Key vault secret with help of system assigned manage identity (It work as same as Service Account on the windows system). In below two parts I have created and configured Azure Key Vault and Virtual Machine ahead of the time with all default settings.

Part 1: Working With Azure Key Vault Using Azure PowerShell and AzureCLI
Part 2: Create a Virtual machine on Microsoft Azure
Part 3: Use a Azure VM system assigned managed identity to access Azure Key Vault

To configure system assigned managed identity navigate to Virtual Machine then go to Identity from left pane. A system assigned managed identity is restricted to one per resource and is tied to the lifecycle of the resource in my example it is tied to the Azure virtual machine name vm01 (If I delete VM this account principal will also be deleted). I can grant permissions to the managed idneity by using Azure role-based access control (Azure RBAC). It is authenticated with Azure AD, so I don't have to store any credential inside my codes.

Once the system assigned managed identity is enabled, this resource will be registered with Azure Active Directory. After being registered, you can control its access to other services like key vault and storage accounts. On the Status toggle to On (color changes from sky blue to purple) and click Save button.

There's a popup box appears while save - Enable system assigned managed identity. 'vm01' will be registered with Azure Active Directory. Once it is registered, 'vm01' can be granted permissions to access resources protected by Azure AD. Do you want to enable the system assigned managed identity for 'vm01'? press Yes.

There is unique identifier id is assigned to this VM resource, when it’s registered with Azure Active Directory. Azure RBAC roles assigned to this managed identity that you have permissions to read.

Be careful when making changes to the access settings for the managed identity because it can result in failures. Click + Azure role assignments to provide access on the Key Vault resources.

On the Add role assignment (Rbac: Role-Based Access Control) I will select Key Vault as resource Scope (Scope is a set of resources that the role assignment applies to. Scope has levels that are inherited at lower levels. For example, if you select a subscription scope, the role assignment applies to all resource groups and resources in the subscription), Provide Subscription, In the Resource select Key Vault Name from drop down list. In the last choose Role as Reader (A role is a collection of permissions. Select a role to assign to this managed identity.) and click Save. (Just to note if this identity has role assignments that you don't have permission to read, they won't be shown in the list)

This is just an example where to find System Assigned identity under, Azure Active Directory >> Enterprise applications >> Application type - Managed Identities >> Apply filter. 

Go to Key Vault service resource. In previous, I have provided RBAC role on the Key Vault. Next configure Add Access policies and select Add VM name in the Principal. Both Virtual Machine and Key Vault is configured.

Now to access Key Vault Secret on the Azure Virtual Machine, I will login on to the VM, Open powershell and fire below commands. Here the url start with 169.254.159.254 is a special url provided by Azure, it will provide access token to connect azure if you have correct permissions on the azure resource entities or subscriptions.

$env:COMPUTERNAME; $env:USERNAME
$response = Invoke-RestMethod -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -Method GET -Headers @{Metadata="true"}
$response.access_token
$result = Invoke-RestMethod -Uri https://vcloud02vault.vault.azure.net/secrets/RootSecret/03d6fd62056a4790a8982b1a75f320f8?api-version=7.1 -Headers @{"Authorization" = "Bearer $($response.access_token)"}
$result | select id, value, contentType

Useful Articles
Create an Azure App registrations in Azure Active Directory using PowerShell & AzureCLI
Connect-AzureAD: One or more errors occurred. Could not load type 'System.Security.Cryptography.SHA256Cng'
Use Key Vault secret identifier url to get the secret value using Powershell
Working With Azure Key Vault Using Azure PowerShell and AzureCLI
Create key vault and secrets with access policies in Microsoft Azure
Creating a new user in Azure AD using oneliner PowerShell and Azure CLI
How to switch to other Azure AD tenant using PowerShell and Azure CLI