Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Profile] az login: Add --client-id, --object-id and --resource-id for user-assigned managed identity authentication #30525

Merged
merged 1 commit into from
Jan 22, 2025
Merged

[Profile] az login: Add --client-id, --object-id and --resource-id for user-assigned managed identity authentication #30525

merged 1 commit into from
Jan 22, 2025

Conversation

jiasli
Copy link
Member

@jiasli jiasli commented Dec 16, 2024
edited
Loading

Related command
az login --identity

Description
Close #29480

az login currently reuses --username for 3 types of IDs. This has several disadvantages:

  1. It is inefficient, as it uses a trial-and-error approach to detect the ID type.
  2. It pollutes managed identity's server telemetry as it makes failed calls on purpose.
  3. It is confusing, as username is a concept related to user flow, such as auth code flow, device code flow and username password (ROPC) flow.
  4. It may have security risk of sending data (may contain PII) to unexpected places.

With the recent initiative of moving to password-free authentication methods, managed identity authentication is becoming more important.

Testing Guide

# New way to log in with client ID
az login --identity --client-id 00000000-0000-0000-0000-000000000000

# New way to log in with object ID
az login --identity --object-id 00000000-0000-0000-0000-000000000000

# New way to log in with resource ID
az login --identity --resource-id /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/testrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testmi

# Old way to log in with any ID
az login --identity --username 00000000-0000-0000-0000-000000000000

# System-assigned managed identity is not changed
az login --identity

History Notes

[Profile] az login: Passing the managed identity ID with --username is deprecated and will be removed in a future release. Please use --client-id, --object-id or --resource-id instead

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Dec 16, 2024
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️acs
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.9
️✔️ams
️✔️latest
️✔️3.12
️✔️3.9
️✔️apim
️✔️latest
️✔️3.12
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️aro
️✔️latest
️✔️3.12
️✔️3.9
️✔️backup
️✔️latest
️✔️3.12
️✔️3.9
️✔️batch
️✔️latest
️✔️3.12
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.9
️✔️billing
️✔️latest
️✔️3.12
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.9
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.9
️✔️config
️✔️latest
️✔️3.12
️✔️3.9
️✔️configure
️✔️latest
️✔️3.12
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.9
️✔️container
️✔️latest
️✔️3.12
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.9
️✔️core
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.9
️✔️databoxedge
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️dls
️✔️latest
️✔️3.12
️✔️3.9
️✔️dms
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.9
️✔️find
️✔️latest
️✔️3.12
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.9
️✔️identity
️✔️latest
️✔️3.12
️✔️3.9
️✔️iot
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️keyvault
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️lab
️✔️latest
️✔️3.12
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️maps
️✔️latest
️✔️3.12
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.9
️✔️network
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.9
️✔️profile
️✔️latest
️✔️3.12
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.9
️✔️redis
️✔️latest
️✔️3.12
️✔️3.9
️✔️relay
️✔️latest
️✔️3.12
️✔️3.9
️✔️resource
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️role
️✔️latest
️✔️3.12
️✔️3.9
️✔️search
️✔️latest
️✔️3.12
️✔️3.9
️✔️security
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.9
️✔️sql
️✔️latest
️✔️3.12
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.9
️✔️storage
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.9
️✔️telemetry
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️util
️✔️latest
️✔️3.12
️✔️3.9
️✔️vm
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9

@azure-client-tools-bot-prd azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Dec 16, 2024
edited
Loading

⚠️AzureCLI-BreakingChangeTest
⚠️profile
rule cmd_name rule_message suggest_message
⚠️ 1006 - ParaAdd login cmd login added parameter client_id
⚠️ 1006 - ParaAdd login cmd login added parameter object_id
⚠️ 1006 - ParaAdd login cmd login added parameter resource_id

@yonzhan
Copy link
Collaborator

yonzhan commented Dec 16, 2024
edited
Loading

az login refinement

@github-actions GitHub Actions
Copy link

⚠️Your changes in this PR will be released on Jan 14, 2025 due to CCOA (extend to Jan 6, 2025)

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Dec 16, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Account az login/account label Dec 16, 2024
@jiasli jiasli force-pushed the managed-identity-id branch 2 times, most recently from 5f46c22 to bf91b78 Compare January 14, 2025 09:02
jiasli
jiasli commented Jan 14, 2025
View reviewed changes
src/azure-cli-core/azure/cli/core/_profile.py
Comment on lines +241 to +256
elif client_id:
identity_type = MsiAccountTypes.user_assigned_client_id
identity_id = client_id
msi_creds = MSIAuthenticationWrapper(resource=resource, client_id=client_id)
elif object_id:
identity_type = MsiAccountTypes.user_assigned_object_id
identity_id = object_id
msi_creds = MSIAuthenticationWrapper(resource=resource, object_id=object_id)
elif resource_id:
identity_type = MsiAccountTypes.user_assigned_resource_id
identity_id = resource_id
msi_creds = MSIAuthenticationWrapper(resource=resource, msi_res_id=resource_id)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ID names are aligned with MSAL: https://learn.microsoft.com/en-us/entra/msal/python/advanced/managed-identity#user-assigned-managed-identities

  • Client ID (client_id)
  • Resource ID (resource_id) - inconsistent with msrestazure's msi_res_id
  • Object ID (object_id)

@jiasli jiasli marked this pull request as ready for review January 14, 2025 09:27
@jiasli jiasli force-pushed the managed-identity-id branch from bf91b78 to 3f904d3 Compare January 14, 2025 10:04
evelyn-ys
evelyn-ys reviewed Jan 21, 2025
View reviewed changes
src/azure-cli/azure/cli/command_modules/profile/custom.py
return profile.login_with_managed_identity(username, allow_no_subscriptions)
return profile.login_with_managed_identity(
identity_id=username, client_id=client_id, object_id=object_id, resource_id=resource_id,
allow_no_subscriptions=allow_no_subscriptions)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to add a param validation that only one of the four (identity_id, client_id, object_id and resource_id) has been provided? Or we can add param help msg telling that these four are mutually exclusive

Copy link
Member Author

@jiasli jiasli Jan 21, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good suggestion. Added the validation logic into profile.login_with_managed_identity().

@jiasli jiasli force-pushed the managed-identity-id branch from 3f904d3 to 2938407 Compare January 21, 2025 09:46
@jiasli jiasli merged commit 967983c into Azure:dev Jan 22, 2025
53 checks passed
@jiasli jiasli deleted the managed-identity-id branch January 22, 2025 07:41
@jiasli jiasli changed the title [Profile] az login: Add --client-id, --object-id and --resource-id for authenticating with user-assigned managed identity [Profile] az login: Add --client-id, --object-id and --resource-id for user-assigned managed identity authentication Jan 22, 2025
@jiasli jiasli mentioned this pull request Jan 22, 2025
Closed
@MoChilia MoChilia mentioned this pull request Feb 20, 2025
Merged
This was referenced Mar 12, 2025
Closed
Draft
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bebound bebound bebound approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@yonzhan yonzhan Awaiting requested review from yonzhan

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

@necusjz necusjz Awaiting requested review from necusjz necusjz is a code owner

Assignees

@jiasli jiasli

Labels
Account az login/account Auto-Assign Auto assign by bot
Projects
None yet
Milestone
February 2025 (2025-02-11)
4 participants
@jiasli @yonzhan @bebound @evelyn-ys