-
Notifications
You must be signed in to change notification settings - Fork 857
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azsecrets v1.3.0 didn't respect home tenant id configured (login-ed) in az cli #23851
Comments
Thank you for your feedback. Tagging and routing to the team member best able to assist. |
Hi @xuxife! I want to make sure I can understand and isolate your issue. If you roll back to the previous version of Are you running this code in the same CLI that you ran the Where exactly is your code running? What is your precise environment with the version? If it is running on the Azure CLI, what are the results of running |
Hi @xuxife. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
@gracewilcox hi, the issue doesn't reproduce in verison prior to v1.2.0 . We believe the problem is related to the code here: azure-sdk-for-go/sdk/azidentity/azidentity.go Lines 109 to 124 in c5e7bb9
If we use "nil" for the cli credentials option object, an empty tenant id will be set in here: azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go Lines 42 to 44 in c5e7bb9
Prior to v1.2.0, the akv's TokenRequestOptions (tro) object is not being back-filled with the tenant id, hence the tenant id value in tro and cli credentials are both empty. In this case, the However, the v1.2.0 change back-filles the non-emptuy tenant id from the challenge request to the tro. In this case, the |
Hi @bcho! Thank you for the detailed information. We'll look into fixing the issue. |
Thanks for opening this issue! This behavior is actually a security feature. In general, we don't want credentials to authenticate in arbitrary tenants by default because doing so can enable unintentional resource access. The Azure CLI case is awkward because azidentity doesn't know the CLI's default tenant. This means that when you don't specify a tenant in the credential options, the credential has no way to tell whether a token request is for an unexpected tenant. We might be able to make this a little easier, but it will take some careful thought because we don't want to compromise any application's security posture. In the meantime, here are a couple ways to get your application working: Option 1: specify a tenant for AzureCLICredentialIf you only want to access a single tenant, you can specify it when constructing the credential: cred, err := azidentity.NewAzureCLICredential(&azidentity.AzureCLICredentialOptions{
TenantID: "72f988bf-86f1-41af-91ab-2d7cd011db47",
}) Option 2: set AdditionallyAllowedTenantsYou can specify allowed tenants in the credential options: cred, err := azidentity.NewAzureCLICredential(&azidentity.AzureCLICredentialOptions{
AdditionallyAllowedTenants: []string{"72f988bf-86f1-41af-91ab-2d7cd011db47"},
}) If you don't know all the tenants you need to access, you can allow all tenants with a wildcard: cred, err := azidentity.NewAzureCLICredential(&azidentity.AzureCLICredentialOptions{
AdditionallyAllowedTenants: []string{"*"},
}) |
While I can understand your intentions, this is still a breaking change and should be treated as such. Hiding it in a minor causes unneccessary pain. To make for a smoother transition, you could set the wildcard as default like in your option 2 and emit a warning that will become an error in the future. |
@chlowell is that possible to perform an extra call azure-sdk-for-go/sdk/azidentity/azure_cli_credential.go Lines 42 to 44 in c5e7bb9
|
It's possible, but there's a couple problems with this approach:
I suppose we can answer the compatibility question but there's no avoiding the additional CLI invocation, which would manifest to apps as a significant perf regression. AzureCLICredential already takes a relatively long time to acquire a token; how would you feel about it taking twice as long? |
Agree on the concern of the perf regression. I ran a simple test from my local, a basic az cli invocation takes ~200ms (for account show and get-access-token if local token cache hits) Giving the akv case is requesting the token using a separated scope, which is likely not hitting the cache at all, in this case, the get-access-token call takes 1 ~ 2s to finish the full token flow in my end. Hence, adding a 200ms call seems to be fine here. And I would expect the az cli token usage is local only, which is also acceptable to have a 1~2s latency for the initial token acquisition here. |
Bug Report
azsecrets v1.3.0 didn't work with
azidentity.NewAzureCLICredential(nil)
, it didn't use the default tenant id login-ed in my az cli.Error:
I'm using single tenant, didn't use cross tenant keyvault scenario.
Minimal repro code:
go.mod
main.go
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets
1.3.0
column output by
go list -m <module>
, for examplego list -m github.com/Azure/azure-sdk-for-go/sdk/azcore
.go version
The text was updated successfully, but these errors were encountered: