Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Core] Allow authentication via environment variables #27938

Open
wants to merge 5 commits into
base: dev
Choose a base branch
from
Open

[Core] Allow authentication via environment variables #27938

wants to merge 5 commits into from

Conversation

VoxSecundus
Copy link

@VoxSecundus VoxSecundus commented Nov 28, 2023
edited
Loading

Related command

az

All commands that require the user to be logged in.

Description

Addresses #10241

This PR updates the _profile and auth/identity azure-cli-core classes to support authenticate for service principals via environment variables, without having to run az login first. When logged in with az login, any credentials specified as environment variables are ignored.

New variables:

Variable name Description
AZURE_SUBSCRIPTION_ID Subscription ID to use for command scope. Can be overridden with --subscription.
AZURE_TENANT_ID Microsoft Entra application's tenant ID.
AZURE_CLIENT_ID Microsoft Entra application ID.
AZURE_CLIENT_SECRET Secret for given application.

Testing Guide

In a Bash terminal:

  • Register an app:
$ az ad sp create-for-rbac
  • Set credentials and subscription:
$ export AZURE_CLIENT_ID="<redacted>"
$ export AZURE_CLIENT_SECRET="<redacted>"
$ export AZURE_TENANT_ID="<redacted>"
$ export AZURE_SUBSCRIPTION_ID="<redacted>"
  • Use az commands as usual:
$ az vm list
[
  {
    ...
  },
  ...
]

$ az account show
{
  "id": null,
  "name": "Environment Variable Subscription",
  "tenantId": "<redacted>",
  "user": {
    "name": "<redacted>",
    "type": "servicePrincipal"
  }
}

$ az account get-access-token
{
  "accessToken": "<redacted>",
  "expiresOn": "2023-11-28 18:51:46.000000",
  "expires_on": 1701197506,
  "subscription": "None",
  "tenant": "<redacted>",
  "tokenType": "Bearer"
}

History Notes

N/A

This checklist is used to make sure that common guidelines for a pull request are followed.

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Nov 28, 2023
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️acs
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.11
️✔️3.9
️✔️ams
️✔️latest
️✔️3.11
️✔️3.9
️✔️apim
️✔️latest
️✔️3.11
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.11
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.11
️✔️3.9
️✔️aro
️✔️latest
️✔️3.11
️✔️3.9
️✔️backup
️✔️latest
️✔️3.11
️✔️3.9
️✔️batch
️✔️latest
️✔️3.11
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.11
️✔️3.9
️✔️billing
️✔️latest
️✔️3.11
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.11
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.11
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.11
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.11
️✔️3.9
️✔️config
️✔️latest
️✔️3.11
️✔️3.9
️✔️configure
️✔️latest
️✔️3.11
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.11
️✔️3.9
️✔️container
️✔️latest
️✔️3.11
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.11
️✔️3.9
️✔️core
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.11
️✔️3.9
️✔️databoxedge
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️dla
️✔️latest
️✔️3.11
️✔️3.9
️✔️dls
️✔️latest
️✔️3.11
️✔️3.9
️✔️dms
️✔️latest
️✔️3.11
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.11
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.11
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.11
️✔️3.9
️✔️find
️✔️latest
️✔️3.11
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.11
️✔️3.9
️✔️identity
️✔️latest
️✔️3.11
️✔️3.9
️✔️iot
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️keyvault
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️kusto
️✔️latest
️✔️3.11
️✔️3.9
️✔️lab
️✔️latest
️✔️3.11
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.11
️✔️3.9
️✔️maps
️✔️latest
️✔️3.11
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.11
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.11
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.11
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.11
️✔️3.9
️✔️network
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.11
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.11
️✔️3.9
️✔️profile
️✔️latest
️✔️3.11
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.11
️✔️3.9
️✔️redis
️✔️latest
️✔️3.11
️✔️3.9
️✔️relay
️✔️latest
️✔️3.11
️✔️3.9
️✔️resource
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️role
️✔️latest
️✔️3.11
️✔️3.9
️✔️search
️✔️latest
️✔️3.11
️✔️3.9
️✔️security
️✔️latest
️✔️3.11
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.11
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.11
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.11
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.11
️✔️3.9
️✔️sql
️✔️latest
️✔️3.11
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.11
️✔️3.9
️✔️storage
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.11
️✔️3.9
️✔️telemetry
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️util
️✔️latest
️✔️3.11
️✔️3.9
️✔️vm
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Nov 28, 2023
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Collaborator

yonzhan commented Nov 28, 2023

Core

@microsoft-github-policy-service microsoft-github-policy-service bot added the customer-reported Issues that are reported by GitHub users external to the Azure organization. label Nov 28, 2023
@microsoft-github-policy-service Microsoft GitHub Policy Service
Copy link
Contributor

Thank you for your contribution VoxSecundus! We will review the pull request and get back to you soon.

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Nov 28, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added Compute az vm/vmss/image/disk/snapshot ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group labels Nov 28, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added Account az login/account Core CLI core infrastructure Graph az ad labels Nov 28, 2023
@VoxSecundus
Copy link
Author

@microsoft-github-policy-service agree company="Alces Flight Ltd"

jiasli
jiasli reviewed Nov 29, 2023
View reviewed changes
src/azure-cli-core/azure/cli/core/util.py Outdated
Comment on lines 1357 to 1363
def is_guid(guid):
import uuid
try:
uuid.UUID(guid)
return True
except (ValueError, TypeError):
return False
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function is already defined at

azure-cli/src/azure-cli-core/azure/cli/core/util.py

Lines 1233 to 1239 in a5198b5

def is_guid(guid):
import uuid
try:
uuid.UUID(guid)
return True
except ValueError:
return False

jiasli
jiasli reviewed Nov 29, 2023
View reviewed changes
src/azure-cli-core/azure/cli/core/auth/identity.py Outdated

# If no login data, look for service principal credential in environment variables
if not self._entries and env_var_auth_configured():
logger.warning("Using service principal credential configured in environment variables.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unconditionally showing warnings can breaks pipelines which enables failOnStderr (#18372).

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I'm not sure what you mean. How should I make this warning shown "conditionally"?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I'm not sure what you mean. How should I make this warning shown "conditionally"?

Well. This warning shouldn't be printed at all, as it doesn't really qualify as a warning.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood. It's been changed to a logger.debug call.

jiasli
jiasli reviewed Nov 29, 2023
View reviewed changes
src/azure-cli-core/azure/cli/core/auth/identity.py Outdated
Comment on lines 313 to 316
# If no login data, look for service principal credential in environment variables
if not self._entries and env_var_auth_configured():
logger.warning("Using service principal credential configured in environment variables.")
self._entries = [load_env_var_credential()]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

load_entry is designed solely for looking up service principal credentials stored on the hard disk. It may not be an ideal place for loading environment variables.

@jiasli
Copy link
Member

jiasli commented Nov 29, 2023

Thank you very much for the contribution. We understand #10241 is a highly demanded feature.

Actually, I already have a draft work on supporting environment variable credential: https://github.com/jiasli/azure-cli/tree/env-cred, which utilizes the code from #22124.

I will certainly take your PR into consideration while implementing this feature.

@freedge freedge mentioned this pull request Apr 26, 2024
Closed
@tspearconquest
Copy link
Contributor

Any update?

@ringods ringods mentioned this pull request Oct 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiasli jiasli jiasli left review comments

@evelyn-ys evelyn-ys Awaiting requested review from evelyn-ys evelyn-ys is a code owner

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

@necusjz necusjz Awaiting requested review from necusjz necusjz is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan

@yanzhudd yanzhudd Awaiting requested review from yanzhudd

At least 1 approving review is required to merge this pull request.

Assignees

@jiasli jiasli

@zhoxing-ms zhoxing-ms

@yanzhudd yanzhudd

Labels
Account az login/account ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Compute az vm/vmss/image/disk/snapshot Core CLI core infrastructure customer-reported Issues that are reported by GitHub users external to the Azure organization. Graph az ad
Projects
None yet
Milestone
Backlog
Development

Successfully merging this pull request may close these issues.
6 participants
@VoxSecundus @yonzhan @jiasli @tspearconquest @zhoxing-ms @yanzhudd