Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Profile] az login: Add --client-id, --object-id and --resource-id for authenticating with user-assigned managed identity #30525

Draft
wants to merge 1 commit into
base: dev
Choose a base branch
from
Draft

[Profile] az login: Add --client-id, --object-id and --resource-id for authenticating with user-assigned managed identity #30525

wants to merge 1 commit into from

Conversation

jiasli
Copy link
Member

@jiasli jiasli commented Dec 16, 2024
edited
Loading

Related command
az login --identity

Description
Close #29480

az login currently reuses --username for 3 types of IDs. This has several disadvantages:

  1. It is inefficient, as it uses a trial-and-error approach to detect the ID type.
  2. It pollutes managed identity's server telemetry as it makes failed calls on purpose.
  3. It is confusing, as username is a concept related to user flow, such as auth code flow, device code flow and username password (ROPC) flow.
  4. It may have security risk of sending data to unexpected places.

With the recent initiative of moving to password-free authentication methods, managed identity authentication is becoming more important.

Testing Guide

# New way to log in with client ID
az login --identity --client-id 00000000-0000-0000-0000-000000000000

# New way to log in with object ID
az login --identity --object-id 00000000-0000-0000-0000-000000000000

# New way to log in with resource ID
az login --identity --resource-id /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/testrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmi

# Old way to log in with any ID
az login --identity --username 00000000-0000-0000-0000-000000000000

# System-assigned managed identity is not changed
az login --identity

History Notes

[Profile] az login: Passing the managed identity ID with --username is deprecated and will be removed in a future release. Please use --client-id, --object-id or --resource-id instead.

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Dec 16, 2024
edited
Loading

❌AzureCLI-FullTest
️✔️acr
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️acs
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.9
️✔️ams
️✔️latest
️✔️3.12
️✔️3.9
️✔️apim
️✔️latest
️✔️3.12
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️aro
️✔️latest
️✔️3.12
️✔️3.9
️✔️backup
️✔️latest
️✔️3.12
️✔️3.9
️✔️batch
️✔️latest
️✔️3.12
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.9
️✔️billing
️✔️latest
️✔️3.12
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.9
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.9
️✔️config
️✔️latest
️✔️3.12
️✔️3.9
️✔️configure
️✔️latest
️✔️3.12
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.9
️✔️container
️✔️latest
️✔️3.12
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.9
️✔️core
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.9
️✔️databoxedge
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️dls
️✔️latest
️✔️3.12
️✔️3.9
️✔️dms
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.9
️✔️find
️✔️latest
️✔️3.12
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.9
️✔️identity
️✔️latest
️✔️3.12
️✔️3.9
️✔️iot
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️keyvault
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️lab
️✔️latest
️✔️3.12
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️maps
️✔️latest
️✔️3.12
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.9
️✔️network
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.9
❌profile
❌latest
❌3.12
Type Test Case Error Message Line
Failed test_get_login self = <azure.cli.command_modules.profile.tests.latest.test_profile_custom.ProfileCommandTest testMethod=test_get_login>
profile_mock = <MagicMock name='Profile' spec='Profile' id='140430196241328'>

    @mock.patch('azure.cli.command_modules.profile.custom.Profile', autospec=True)
    def test_get_login(self, profile_mock):
        invoked = []
    
        def test_login(msi_port, identity_id=None):
            invoked.append(True)
    
        # mock the instance
        profile_instance = mock.MagicMock()
        profile_instance.login_with_managed_identity = test_login
        # mock the constructor
        profile_mock.return_value = profile_instance
    
        # action
        cmd = mock.MagicMock()
>       login(cmd, identity=True)

src/azure-cli/azure/cli/command_modules/profile/tests/latest/test_profile_custom.py:105: 
                                        

cmd = <MagicMock id='140430190266944'>, username = None, password = None
tenant = None, scopes = None, allow_no_subscriptions = False
use_device_code = False, service_principal = None, certificate = None
use_cert_sn_issuer = None, client_assertion = None, identity = True
client_id = None, object_id = None, resource_id = None

    def login(cmd, username=None, password=None, tenant=None, scopes=None, allow_no_subscriptions=False,
              # Device code flow
              use_device_code=False,
              # Service principal
              service_principal=None, certificate=None, use_cert_sn_issuer=None, client_assertion=None,
              # Managed identity
              identity=False, client_id=None, object_id=None, resource_id=None):
        """Log in to access Azure subscriptions"""
    
        # quick argument usage check
        if any([password, service_principal, tenant]) and identity:
            raise CLIError("usage error: '--identity' is not applicable with other arguments")
        if any([password, service_principal, username, identity]) and use_device_code:
            raise CLIError("usage error: '--use-device-code' is not applicable with other arguments")
        if use_cert_sn_issuer and not service_principal:
            raise CLIError("usage error: '--use-sn-issuer' is only applicable with a service principal")
        if service_principal and not username:
            raise CLIError('usage error: --service-principal --username NAME --password SECRET --tenant TENANT')
        if username and not service_principal and not identity:
            logger.warning(USERNAME_PASSWORD_DEPRECATION_WARNING)
    
        interactive = False
    
        profile = Profile(cli_ctx=cmd.cli_ctx)
    
        if identity:
            if in_cloud_console():
                return profile.login_in_cloud_shell()
>           return profile.login_with_managed_identity(
                identity_id=username, client_id=client_id, object_id=object_id, resource_id=resource_id,
                allow_no_subscriptions=allow_no_subscriptions)
E           TypeError: ProfileCommandTest.test_get_login..test_login() got an unexpected keyword argument 'client_id'

src/azure-cli/azure/cli/command_modules/profile/custom.py:146: TypeError		 azure/cli/command_modules/profile/tests/latest/test_profile_custom.py:89
❌3.9
Type Test Case Error Message Line
Failed test_get_login self = <azure.cli.command_modules.profile.tests.latest.test_profile_custom.ProfileCommandTest testMethod=test_get_login>
profile_mock = <MagicMock name='Profile' spec='Profile' id='139727889082448'>

    @mock.patch('azure.cli.command_modules.profile.custom.Profile', autospec=True)
    def test_get_login(self, profile_mock):
        invoked = []
    
        def test_login(msi_port, identity_id=None):
            invoked.append(True)
    
        # mock the instance
        profile_instance = mock.MagicMock()
        profile_instance.login_with_managed_identity = test_login
        # mock the constructor
        profile_mock.return_value = profile_instance
    
        # action
        cmd = mock.MagicMock()
>       login(cmd, identity=True)

src/azure-cli/azure/cli/command_modules/profile/tests/latest/test_profile_custom.py:105: 
                                        

cmd = <MagicMock id='139727888199984'>, username = None, password = None
tenant = None, scopes = None, allow_no_subscriptions = False
use_device_code = False, service_principal = None, certificate = None
use_cert_sn_issuer = None, client_assertion = None, identity = True
client_id = None, object_id = None, resource_id = None

    def login(cmd, username=None, password=None, tenant=None, scopes=None, allow_no_subscriptions=False,
              # Device code flow
              use_device_code=False,
              # Service principal
              service_principal=None, certificate=None, use_cert_sn_issuer=None, client_assertion=None,
              # Managed identity
              identity=False, client_id=None, object_id=None, resource_id=None):
        """Log in to access Azure subscriptions"""
    
        # quick argument usage check
        if any([password, service_principal, tenant]) and identity:
            raise CLIError("usage error: '--identity' is not applicable with other arguments")
        if any([password, service_principal, username, identity]) and use_device_code:
            raise CLIError("usage error: '--use-device-code' is not applicable with other arguments")
        if use_cert_sn_issuer and not service_principal:
            raise CLIError("usage error: '--use-sn-issuer' is only applicable with a service principal")
        if service_principal and not username:
            raise CLIError('usage error: --service-principal --username NAME --password SECRET --tenant TENANT')
        if username and not service_principal and not identity:
            logger.warning(USERNAME_PASSWORD_DEPRECATION_WARNING)
    
        interactive = False
    
        profile = Profile(cli_ctx=cmd.cli_ctx)
    
        if identity:
            if in_cloud_console():
                return profile.login_in_cloud_shell()
>           return profile.login_with_managed_identity(
                identity_id=username, client_id=client_id, object_id=object_id, resource_id=resource_id,
                allow_no_subscriptions=allow_no_subscriptions)
E           TypeError: test_login() got an unexpected keyword argument 'client_id'

src/azure-cli/azure/cli/command_modules/profile/custom.py:146: TypeError		 azure/cli/command_modules/profile/tests/latest/test_profile_custom.py:89
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.9
️✔️redis
️✔️latest
️✔️3.12
️✔️3.9
️✔️relay
️✔️latest
️✔️3.12
️✔️3.9
️✔️resource
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️role
️✔️latest
️✔️3.12
️✔️3.9
️✔️search
️✔️latest
️✔️3.12
️✔️3.9
️✔️security
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.9
️✔️sql
️✔️latest
️✔️3.12
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.9
️✔️storage
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.9
️✔️telemetry
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️util
️✔️latest
️✔️3.12
️✔️3.9
️✔️vm
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Dec 16, 2024
edited
Loading

⚠️AzureCLI-BreakingChangeTest
⚠️profile
rule cmd_name rule_message suggest_message
⚠️ 1006 - ParaAdd login cmd login added parameter client_id
⚠️ 1006 - ParaAdd login cmd login added parameter object_id
⚠️ 1006 - ParaAdd login cmd login added parameter resource_id

@yonzhan
Copy link
Collaborator

yonzhan commented Dec 16, 2024
edited
Loading

az login refinement

@github-actions GitHub Actions
Copy link

⚠️Your changes in this PR will be released on Jan 14, 2025 due to CCOA (extend to Jan 6, 2025)

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Dec 16, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Account az login/account label Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yonzhan yonzhan Awaiting requested review from yonzhan

@evelyn-ys evelyn-ys Awaiting requested review from evelyn-ys evelyn-ys will be requested when the pull request is marked ready for review evelyn-ys is a code owner

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy will be requested when the pull request is marked ready for review calvinhzy is a code owner

@bebound bebound Awaiting requested review from bebound bebound will be requested when the pull request is marked ready for review bebound is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@jiasli jiasli

Labels
Account az login/account Auto-Assign Auto assign by bot
Projects
None yet
Milestone
January 2025 (2025-01-14)
2 participants
@jiasli @yonzhan