diff --git a/kcl/lib/steps/azure/identity.k b/kcl/lib/steps/azure/identity.k
new file mode 100644
index 0000000000..cf5a5f37e7
--- /dev/null
+++ b/kcl/lib/steps/azure/identity.k
@@ -0,0 +1,18 @@
+import azure_pipelines.ap.steps
+
+CreateManagedIdentity = lambda serviceConnection: str, subscription: str, resourceGroup: str, name: str, exportVar: str = "IDENTITY" -> steps.Step {
+    script = """
+az identity create \\
+  --resource-group "${resourceGroup}" \\
+  --name "${name}" \\
+  --subscription "${subscription}"
+
+IDENTITY=$(az identity show \\
+  --resource-group "${resourceGroup}" \\
+  --name "${name}" \\
+  --subscription "${subscription}")
+echo "##vso[task.setvariable variable=${exportVar}_CLIENT_ID]$(echo "$IDENTITY" | jq -r '.clientId')"
+echo "##vso[task.setvariable variable=${exportVar}_ID]$(echo "$IDENTITY" | jq -r '.id')"
+"""
+    AzCli(serviceConnection, "Create managed identity ${name}", script)
+}
diff --git a/kcl/lib/steps/azure/role_assignment.k b/kcl/lib/steps/azure/role_assignment.k
new file mode 100644
index 0000000000..a065c3286f
--- /dev/null
+++ b/kcl/lib/steps/azure/role_assignment.k
@@ -0,0 +1,12 @@
+import azure_pipelines.ap.steps
+
+CreateRoleAssignment = lambda serviceConnection: str, scope: str, role: str, assignee: str, subscription: str -> steps.Step {
+    script = """
+az role assignment create \\
+  --scope "${scope}" \\
+  --role "${role}" \\
+  --assignee "${assignee}" \\
+  --subscription "${subscription}"
+"""
+    AzCli(serviceConnection, "Assign role ${role} to ${assignee}", script)
+}