[Core][Profile] Add tenant parameter to get_raw_token
#11798
Conversation
|
@mit2nil please kindly help review and test this PR. |
|
@fengzhou-msft @haroldrandom, there seems to be some issue with the CI. The title is for Python 3.8 but it is still using 2.7 internally: https://dev.azure.com/azure-sdk/public/_build/results?buildId=227317&view=logs&jobId=4ac732a2-b9e4-5fde-3ff2-aac0b888c429&j=4ac732a2-b9e4-5fde-3ff2-aac0b888c429&t=7defb86d-ca26-5ebc-39fe-803ea5c317dd
|
Fixed here: #11802 Reason:
So I add environment variable to let tox use only the specific Python version I want. But still need to check the schedule of retiring Python 2.7 with @fengzhou-msft to verify whether need to add Python 2.7 support or not. |
| # Test get_raw_token with tenant | ||
| creds, sub, tenant = profile.get_raw_token(resource='https://foo', tenant=self.tenant_id) | ||
|
|
||
| self.assertEqual(creds[0], self.token_entry1['tokenType']) |
There was a problem hiding this comment.
Can we also add tests for MSI and cloud shell? (check exception) #Closed
There was a problem hiding this comment.
Yes. It is already in this file.
| def get_raw_token(self, resource=None, subscription=None): | ||
| def get_raw_token(self, resource=None, subscription=None, tenant=None): | ||
| if subscription and tenant: | ||
| raise CLIError("Please specify only one of subscription and tenant, not both") |
There was a problem hiding this comment.
this error message pattern seems not align with existing pattern like "subscription shouldn't e specified when tenant is specified"
There was a problem hiding this comment.
This expression is used by many other modules. You may Find All with "not both" to see other usage.
| creds = self._creds_cache.retrieve_token_for_service_principal(username_or_sp_id, | ||
| resource, | ||
| account[_TENANT_ID]) | ||
| tenant_dest = tenant if tenant else account[_TENANT_ID] |
There was a problem hiding this comment.
when subscription is specified, it is checked if exist in cached file in function "get_subscription", is there anyway we can have a pre-check before send retrieve token request?
There was a problem hiding this comment.
For a user account we don't need to check if the tenant is in az account list, as the refreshToken in accessTokens.json is the same for all tenants. user : refresh token is a 1:1 mapping. The refresh token can be used to retrieve a token in ANY tenant, even if the user is not a member of that tenant. The token doesn't has any permission in that tenant.
A service principal is a binding between an app and a tenant, in other words, a projection of an app in a tenant.
| Home Tenant | Tenant1 | Tenant 2 | ... | |
|---|---|---|---|---|
| App | sp_home | sp_1 | sp_2 |
Please also see Application and service principal objects in Azure Active Directory
In accessTokens.json, the entry for a service principal account is:
{
"servicePrincipalId": "6827...",
"servicePrincipalTenant": "5482...",
"accessToken": "43b2..."
}
servicePrincipalId is usually the appId returned by az ad sp create-for-rbac.
accessToken is actually the credential(password or certificate) of the service principal or app. If the credential is at app level, it is the same across tenants; if the credential is at service principal level, it is different across tenants. So service principal : access token(credential) is a 1:+ mapping.
Even if for app credential, service principal : access token(credential) is a 1:1 mapping, we can't tell whether the credential is valid in other tenants until the AAD server returns error. I prefer not to do the bet. So to retrieve the credential, we need to use both servicePrincipalId and servicePrincipalTenant, which is searched at
azure-cli/src/azure-cli-core/azure/cli/core/_profile.py
Lines 940 to 941 in fbfe691
Therefore, for a Service Principal to work across tenants, we need to run az login twice for each tenant.
| def get_raw_token(self, resource=None, subscription=None): | ||
| def get_raw_token(self, resource=None, subscription=None, tenant=None): | ||
| if subscription and tenant: | ||
| raise CLIError("Please specify only one of subscription and tenant, not both") | ||
| account = self.get_subscription(subscription) |
There was a problem hiding this comment.
if subscription is not specified, account is empty? then can we get the user_type below?
There was a problem hiding this comment.
If subscription is not specified, it retrieves the default subscription which is the one that is currently selected by az account set.
| def get_access_token(cmd, subscription=None, resource=None, resource_type=None): | ||
| ''' | ||
| def get_access_token(cmd, subscription=None, resource=None, resource_type=None, tenant=None): | ||
| """ | ||
| get AAD token to access to a specified resource | ||
| :param resource: Azure resource endpoints. Default to Azure Resource Manager | ||
| :param resource-type: Name of Azure resource endpoints. Can be used instead of resource. |
There was a problem hiding this comment.
please also add tenent in comment
There was a problem hiding this comment.
The doc string is overridden by
I'd prefer to omit here to eliminate duplication.
|
I have changed the behavior of The current behavior of CLI is to search for the service principal's credential from local cache So what the changed logic does is it first searches for the credential from local cache using For example, say app1 is a multi-tenant app registered in tenant t1 and t2:
The token can be successfully retrieved for t2 and you can verify the tenant ID The only situation where this won't work is if the credential is at service principal level, which is bound to a specified tenant and only works in that tenant. CLI currently doesn't support service-principal-level credential. Related PR is #11466, but we haven't reached an agreement about this breaking change. |
|
Reply to #11798 (review). @Juliehzl, good point. Added as requested. |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| 'tenant': tenant | ||
| } | ||
| if subscription: | ||
| result['subscription'] = subscription |
There was a problem hiding this comment.
Seems we changed previous behavior here. subscription property value is N/A before, after this change, the property will be removed. Is this a break change to some customers ?
There was a problem hiding this comment.
Nope. Previously there is no way for the user to get a token for a tenant, so this is a new feature rather than a breaking change.
The previous behavior for az account get-access-token --subscription is not affected. This can be verified by the test cases.
| logger.warning("Could not retrieve credential from local cache for service principal %s under tenant %s. " | ||
| "Trying credential under tenant %s, assuming that is an app credential.", | ||
| sp_id, tenant, matched[0][_SERVICE_PRINCIPAL_TENANT]) | ||
| cred = matched[0] |
There was a problem hiding this comment.
So if I only login with tenant A, and run az account get-access-token -t B, it will return an access token of A, right ?
There was a problem hiding this comment.
Nope. It will return the token for tenant B automatically using the credential for tenant A. That's why it is called single-sign-on. Detailed description and test commands can be found at #11798 (comment)
+@qianwens for awareness
|
@jiasli Is this going to be merged and be part of next release? We need to change our cli extension PR based on the timelines of release of this feature. |
Yes. We will deliver it in this release. |
* Added CLI functions with tests * Resolved comments, added vnet-name to create * Fixed no_Wait call in create command * Changed active/passive voice issues and added enum to license type * Deleted existing recording file * Added test recording file * upgrade azure-mgmt-version to 0.16.0 * preview enabled for flexibility * init colorama in az --version to fix issue on windows (#11609) * [Storage] Remove Preview for -enable-hierarchical-namespace (#11639) * remove preview * update history * Adding new license type for az sql vm (#11570) * Adding DR license examples Adding DR license examples * Update test_sqlvm_update_license_and_sku.yaml Adding test for DR * Update test_vm_vmss_update_ultra_ssd_enabled.yaml Undone changes for recording of vm_vmss * Update test_vm_vmss_update_ultra_ssd_enabled.yaml * Update HISTORY.rst * Added CLI functions with tests * Resolved comments, added vnet-name to create * Fixed no_Wait call in create command * Changed active/passive voice issues and added enum to license type * Deleted existing recording file * Added test recording file * [Storage] Bump azure-mgmt-storage version to use api version 2019-06-01 (#11702) * update version for auzre-mgmt-storage in setup.py * pass test for storage module * last 14 failures * pass test_apim_core_service * revert test_linux_webapp_ssh * pass test_batchai_manual_scale_scenario * pass test_create_event_subscriptions_to_resource * pass test_hdinsight_cluster_kafka_with_rest_proxy * pass test_adla_account_mgmt * pass test_batchai_job_level_mounting_scenario * pass test_hdinsight_monitor * pass test_keyvault_storage_account * pass test_monitor_create_log_profile * pass test_sql_db_security_mgmt * pass test_sql_db_import_export_mgmt * pass test_create_for_rbac_with_existing_kv_cert * update version in requirements.txt * update history.rst * pass test_afs_commands * pass test_backup_restore.yaml * pass test_dls_file_mgmt * pass test_dls_file_mgmt * ACR: deprecate os parameter (#11699) * [App Service] On webapp up set httpsonly true (#11539) * https_only = true when using webapp up * update and validate testing * supress entire file and rerun test * update history * rerun tests * resetup dev and rerun test * Fix typo in `KeyVaultMgmtScenarioTest` (#11722) * Fix typo * Fix type in history.rst * Revert history * [General][Minor]Update Code Onwers (#11705) * Update Code Onwers remove @zikalino from code owner * Update CODEOWNERS * Update codeowner for scripts * Update CODEOWNERS Co-authored-by: Feng Zhou <55177366+fengzhou-msft@users.noreply.github.com> * [Compute][Feature]az vm create: Support default data source settings for vm workspace (#11704) * [RecoveryServices Backup]Added disk exclusion Feature for IAASVM (#11717) * Added disk exclusion tests * resolving comments * updated history.rst * removed redundant parameter * fix typo in authoring_commands.md (#11730) * update codeowner for resource (#11739) * Fix the test of test_managedapp (#11727) * Fix the test of test_resource_policyset (#11723) * add libc6-compat in dockerfile (#11742) * Update Cosmos DB python package (#11551) * migrating to cersion 0.10.0 of cosmos db management sdk * updating cosmosdb sdk version to allow patch support * update history to indicate changes * update os requirements * style improvements * updating all network-rule commands to comply with guidelines * update history to include network-rule changes * [AppConfig] Adding new command 'set-keyvault' to kv subgroup (#11571) * Adding new command set-keyvault and realted tests * Update string escaping for python 2 * Resolve comments * Remove default kwargs when validating vault id * Improve exception and help message * Update history file * Update test recordings * [AppConfig] Support Import/Export of features in yaml files (#11637) * feature flag import/export for yaml files * Remove naming-convention from import and add tests * Change all test files to json for passing CI tests * Using yaml.safe_dump and resolving comments * Updating histoy and separating tests * Adding new test recording file to credscansuppressions * [App Service] Add az webapp up flag for HTML static sites (#11719) * add html flag * run tests * rerun tests * update help message, add error for html flag * fix error * remove trailing whitespace * also look for htm and shtml files * [Compute] Feature issue #11203 Add new reapply command action for az vm (#11733) * [Compute] Feature issue #11203 Add new reapply command action for az vm * update HISTORY.rst, add examples in help.py * Added new parameters for account blob service properties to manage delete retention policy (#11660) * [misc] Add 'az version' (#11680) * Removing ReceiveDisabled status from EventHub and ServiceBus CLI doc as it's an invalid status (#11566) * Update _params.py Remove ReceiveDisabled because it is not a valid state for an EventHub. * Update _params.py * Update HISTORY.rst * Update _params.py * Update _params.py Co-authored-by: Zunli Hu <zuh@microsoft.com> * [RBAC] Return exit code 3 if app or sp doesn't exist (#11725) * update azure-cli version to 2.0.79 (#11762) * add codeonwer for sql (#11777) * fix: az monitor metric alert create. Fix test failure. (#11776) * updating BYOS commands to mark them as preview (#11755) This feature is in preview and this should be indicated * Fix: tox can use ADO default Python 2.7 (#11802) * python3.8 migration for homebrew (#11803) * [Storage] Support Table and Queue Encryption Service for storage account (#11706) * initialize encryption key feature * enable key type for queue * add test * uodate history * fix style * update package version * add test * add examples * refine examples * remove Preview * refine help * fix style * refine history * update CODEOWNERS (#11814) * [Webapp] Adding E2E tests for az webapp up (#11774) * Adding E2E tests for az webapp up Adding test for az webapp up for Node app Adding test for Python App for az webapp up Adding test for dotnercore for az webapp up Adding tests for static html Rerecording test Removing ResourceGroup preparer Testing with plan & resourcegroup Re-recording once more minus the -live flag * Making az webapp up tests live only * [Doc] Try new features before release (#11784) * [Doc] Try new features without releasing * use case-sensitive file name * Refine * Add highlighted rectangle in screenshot * Add entrance in main readme * Chore: move CredScansuppressions.json to codeownder guarded folder (#11815) * [Compute] disk update: Add --disk-encryption-set and --encryption-type; snapshot create/update: Add --disk-encryption-set and --encryption-type (#11805) * [Compute] disk update: Add --disk-encryption-set and --encryption-type * snapshot create/update: Add --disk-encryption-set and --encryption-type * Remove preview label * Fix style problem * Add parameter validation * Fix yaml * Fix test Co-authored-by: Xiaojian Xu <arrownj@126.com> * [AKS] Update example help text to reflect change of defaults to Standard LB and VMSS (#11791) * Upgrade to Azure CLI 2.0.80 (#11826) * Add table output to backup commands (#11764) * Fix typo in History.rst (#11835) * [IoT Central] Add new sku name to iotcentral (#11810) * [Core] Expose example_provider hook to include AI examples (#10987) * fix: enabling monitoring for OpenShift managed cluster (#11778) * Update fedora install troubleshooting doc (#11827) * Fix: 'az redis update' operation for RDB/AOF enabled redis caches (#11502) * Fixing "az redis update" to work on caches with RDB/AOF enabled. * Chore: disable CredScan job temporary for ADO security concern (#11844) * [KeyVault] Add example for container sas-definition (#11846) * Add example for container sas-definition * Add `--account-key` param * refact: update global --tags help content (#11847) * [Rest] Make --method -m optional (#11843) * [Core] Support filename and environment variable completion (#11817) * Chore: add code owner for command module appconfig (#11860) * Update code owner (#11875) * [AppService] Fix #10476: Support appservice in 2019-03-01-hybrid profile (#11056) * appservice: surface commands under the profile of 2019-03-01-hybrid * upgrade azure-mgmt-web to support multiapi * upgrade azure-mgmt-web in requirements * update release note * Update history in azure cli 2.0.75 * delete spaces * fix typo * use new package and make client multiapi * Re-record test for app service * pass test_acr_integration_function_app * pass test_acr_create_function_app * pass test_acr_integration * pass test_webapp_hyperv_e2e * replace api version because record_only() to pass test_webapp_continuousWebjob_e2e * pass test_webapp_create_linux_free * replace api version because record only to pass test_webapp_triggeredWebjob_list * pass test_webapp_e2e * replace api version to make test_linux_webapp_ssh pass because only supporting linux and mac * fix test_webapp_config * change api version to 20181101 * change api version to 2019-08-01 * live test * pass test_functionapp_reserved_instance for v2019-08-01 * pass test_set_domain_name * pass test_set_source_control_token * pass appservice except config * pass more test * pass test_metric_alert_v2_scenario * pass test_functionapp_access_restriction_set_complex * pass test_functionapp_access_restriction_add_service_endpoint * pass more test * pass mock * pass other tests in live mode azdev test --lf --live * revert aks test * pass test_keyvault_secret_sofy_delete * pass test_keyvault_storage_account * pass keyvault_softdelet * pass test_create_for_rbac_with_existing_kv_cert * pass test_version * revert test_node_type * pass test_webapp_config and deployment user show * add cmd_mock in unitest * update requirements * fix style * fix linter * add help for deployment user show * revert test_dls_file_mgmt * pass webapp_continuousWebjob * revert reversation_id * fix typo * pass test_linux_webapp_ssh Co-authored-by: Yugang Wang <yugangw@microsoft.com> * Bump argcomplete version (#11866) * [AppConfig] Support import/export of keyvault ref from appservice (#11773) * Support import/export of keyvault from appservice * Centralize reserved keywords and constants * Add connection string to all test commands * Remove shell_safe_json_parse * Making appservice test LiveScenarioTest * Updating history * Resolving comments * Reuse appsvc_value_dict variable * Remove test file from credscansuppression Co-authored-by: Zunli Hu <zuh@microsoft.com> * fix test_get_clouds_concurrent on python 3.8 windows (#11864) * Documented sql db restore time format (#11838) * Documented sql db restore time format Fixes #9273 * Style * [ARM] Fix az group export command does not support --query and --output parameters (#11885) * acr: add notary version compatibility checks (#11792) * {Storage} Update help for pattern (#11782) * update help for pattern * fix style * fix help * fix comments * [ARM] Fix the exit code of az group deployment validate when the verification fails (#11842) * [Storage]: Add a new command group `az storage share-rm` to use the Microsoft.Storage resource provider for Azure file share management operations. (#11649) [Storage]: Add a new command group `az storage share-rm` to use the Microsoft.Storage resource provider for Azure file share management operations. * delete cli_license_terms.md (#11902) * [Network]az network dns record-set add/remove: show warning when a new record-set is created automatically (#11900) * [ACR]: Add a prompt for command "az acr delete" to avoid accidental operation (#11899) * [Storage] Fix errors for storage blob update (#11907) * fix validator * update history.rst * [AppConfig] Support import/export of all labels between 2 config stores (#11756) * Import/export with label filters b/w config stores * Add unit tests * Updating arguments in help file * Update history and test recording * resolving comments * Modify error message text * fix failing test * {Storage} Refine help for storage data plane commands and log warning (#11903) * add long summary for data plane operations * refine examples * add warning * fix linter * fix typo * fix style * [AppConfig] Validate key and feature names before setting and importing (#11753) * Adding input validation for key and feature name * Adding unit tests * Add key validation for keyvault ref * Add missing comma in credscansiuppressions file * Fix styling issue * Make reserved keyword validations case insensitive * Update history file * Fix styling issue * Fix style issues Co-authored-by: Zunli Hu <zuh@microsoft.com> * [IoT] Deprecated command group 'iot hub job' (#11794) * Add deprecation message * removed empty line Co-authored-by: Feiyue Yu <iamyfy@163.com> * [AppConfig] Expose sku and managed identity for GA (#11795) * expose sku and managed identity feature * Expose features for GA 1. Remove preview tag for most commands 2. Expose sku modification for configuration store 3. Add command group for managed identity * fix styling issues * update user agent version * dedup input identities * add test cases for user assgined identity * remove duplicate code * revise identity validator * add default for identities * remove unnecessary import * hard code default value for identity * make identity argument take empty list * resolve conflict * merge conflict * update tests * fix styling issue * revise help message for --identities * remove multiple spaces * [Storage] Upgrade Azcopy for storage copy/remove and blob sync (#11874) [Storage] Integrate Azcopy 10.3.3 and support Win32. [Storage] `az storage copy`: Add `--include-path`, `--include-pattern`, `--exclude-path` and`--exclude-pattern` parameters [Storage] `az storage remove`: Change `--inlcude` and `--exclude` parameters to `--include-path`, `--include-pattern`, `--exclude-path` and`--exclude-pattern` parameters [Storage] `az storage sync`: Add `--include-pattern`, `--exclude-path` and`--exclude-pattern` parameters * remove pydocumentdb (#11918) * [ACR] Add new commands `az acr taskrun show/list/delete` for show list and remove (#11858) * [Azure Red Hat OpenShift] Add `monitor` subgroup to manage Log Analytics monitoring in Azure Red Hat OpensShift cluster (#11904) * [CDN] Add support for Rules engine feature (#11854) [CDN] Add support for rulesEngine feature [CDN] Add new commands group 'cdn endpoint rule' to manage rules [CDN] Update azure-mgmt-cdn version to 4.0.0 to use api version 2019-04-15 * [Security] Add new commands `az atp show` and `az atp update` to view and manage advanced threat protection settings for storage accounts * {Network} az network application-gateway create: set https when key_vault_secret_id provided (#11974) * [SQL] BREAKING CHANGE: az sql db create: Remove WideWorldImportersStd and WideWorldImportersFull as allowed values for --sample-name values (#11976) * Remove WideWorldImporters as allowed values for sql db sample name The WideWorldImportersStd and WideWorldImportersFull sql db samples were never supported in production and were only documented here by mistake. Removing them from allowed values so that users do not attempt to create them. Note that this is not a breaking change because these options already caused db creation to fail. * format history Co-authored-by: Zunli Hu <zuh@microsoft.com> * [RBAC] BREAKING CHANGE: Fix #11883: `az role assignment create`: empty scope will prompt error (#11983) * [RBAC] BREAKING CHANGE: Fix #11883: `az role assignment create`: empty scope will prompt error * add test for role assignment with empty scope case * udpate HISTORY.rst according to alphabetic order * {Packaging} Generate Homebrew formula by updating existing one by default (#11964) * [ARM] Fix az resource list cannot use tag when there is a default location (#11787) * Improve the error message of the conflict between tag and other filter conditions for az resource list * [ARM] Fix az resource tag crashed when the parameter --ids passed in is resource group ID (#11859) * Fix az resource tag crashed when the parameter --ids passed in is resource group ID * [Key Vault] Add a new command `az keyvault key download` for downloading keys (#11912) * Add support for downloading key * Fix bug & Support EC key * Add tests * Update the test * Modify history.rst * Fix linter error * Add some comments and fix some bugs * Add comments * Fix linter error * Fix linter error * Fix linter error and some code formats * Fix linter error * Refine string format * Remove `pylint: disable=line-too-long` * [Core][Profile] Add `tenant` parameter to `get_raw_token` (#11798) * Improve the error message of the conflict between tag and other filter conditions for az resource list command (#11796) * [Deployment Manager] Add `az deploymentmanager rollout/service/service-topology/service-unit/step list` commands (#11757) * DeploymentManager 2019-11-preview update * Modify tests, update history.rst * Fix pylint and style errors * Styling fixes * Fixing fileInput close for test automation pass * Incorporate feedback * Incorporated feedback + Re-record tests after merge * Fix styling errors * Incorporated feedback * Incorporated feedback * Fix cli styling errors * rearrange history Co-authored-by: Zunli Hu <zuh@microsoft.com> * [SQL] Add new commands `sql db classification show/list/update/delete` and `sql db classification recommendation list/enable/disable` to manage sensitivity classifications for SQL databases. (#11597) * New commands `sql db sensitivity-labels show/list/list-recommended/update/delete/enable-recommendation/disable-recommendation` to manage sensitivity labels for SQL databases. * Fix history file * Fix failing style checks * Fix help * Use g.command() for list, list-recommended, delete, enable-recommendation and disable-recommendation * rename sensitivity-labels to sensitivity-classification and add another group for recommendation * Fix sensitivity classifications test after sync * Rename command from `sensitivity-classification` to `classification` * information_type and label_name should not be required * SQl classification - fix comments * SQL classification Additional fixes * Update help * SQL classification - show command should be seperated for current/recommended Co-authored-by: Zunli Hu <zuh@microsoft.com> * Improve intercluster isolation (#11848) * Improve inter-cluster isolation `az aks create` creates a service principal when invoked the first time, and re-uses that service principal for all clusters it creates. This leads to all clusters being able to access each other's Azure resources, such as disks and load-balancers. This is undesirable since it means that a compromised cluster would allow an attacked to steal data from another cluster. This patch disabled service principal re-usage to ensure better isolation between clusters. * Update HISTORY.rst * Address comment from @Juliehzl * Also improve inter-cluster isolation via _ensure_aks_service_principal * Fix CI error * Re-trigger pipeline See pypa/pip#7217 * {Document} Modify PR template and document (#11913) * Service Fabric Application commands (#10666) [Service Fabric] Add new commands to manage appliaction and services. - sf application-type - list - delete - show - create - sf application-type version - list - delete - show - create - sf application - list - delete - show - create - update - sf service - list - delete - show - create * [ACS] add support for the aks 1.16/1.17 in "aks browse" command. (#11804) * switch to use the kube proxy to open the dashboard. * [Policy] Update policyinsights to 0.4.0 package (#11820) [Policy] Update policyinsights to 0.4.0 package [Policy] Add new command `az policy metadata` to retrieve rich policy metadata resources [Policy] `az policy remediation create`: Specify whether compliance should be re-evaluated prior to remediation with the `--resource-discovery-mode` parameter * [SQL] BREAKING CHANGE: `az sql dw create`: Deprecate `--zone-redundant` & `--read-replica-count` parameters (#11837) * Restructure db/dw create/update params Just adding new structure, not moving any code yet * Dedupe compute_model, auto_pause_delay, min_capacity * Dedupe read_scale and read_replica_count * Dedupe elastic_pool_id * Dedupe max_size_bytes * Indentation * Function naming * Formatting * More refactoring * Hide --read-replica-count from sql dw * Deprecate sql dw create --read-replicas * Deprecate sql dw create --zone-redundant * Add history and hide the parameters * Tweak comments * Style * Fixed style Co-authored-by: Zunli Hu <zuh@microsoft.com> * [BotService] Refactor tests, make bot create idempotent (#11935) * [SQL] az sql db audit-policy: Fix for empty audit actions and groups (#11800) * In case the policy is enabled and there are no audit actions and groups (Was overriden when disabling the policy), set the default value * update history Co-authored-by: Zunli Hu <zuh@microsoft.com> * {CI} Add PR title check (#11982) * [ACS] aks create/update: add --load-balancer-outbound-ports and --load-balancer-idle-timeout (#11960) * fix merge conflicts, update containerservice version * enable allocated ports and idletimeouts * add validation, help doc, fix linting * move lb to file * refactor for patch, update naming * update history * update setup file to latest acs version * feedback: update history, help docs and port validator * feedback:int not string, typo * int not string * add blank line * use logger instead of print * Update _loadbalancer.py * Update _loadbalancer.py Co-authored-by: Feiyue Yu <iamyfy@163.com> * [functionapp]: add ability to create java apps on Linux (#11811) * update azure-cli version to 2.0.81 (#12005) * Re-run functionapp tests (#12006) * {CI} Enable CredScan task of Microsoft Security Code Analysis (Preview) (#12019) * {Monitor} az monitor diagnostic-settings category list: fix bug(#12020) * [AMS] az ams is GA now (#12004) * {Compute} Fix typo in error message when attaching unmanaged disk (#12029) * [KeyVault] az keyvault key create: add a new value `import` for parameter `--ops` (#12030) * {Network} Clean up zone*.txt_export.txt files after tests (#12032) * [ACS] aks create/update: add validation for --vnet-subnet-id argument (#12038) * [AppConfig] Revise help message to exclude unsupported key/label filter (#12040) * {Resource} Bump to azure-mgmt-resource~=8.0.1 (#12050) * [Compute] vm/vmss/availability-set update: add --ppg to allowing updating ProximityPlacementGroup (#12002) * [Compute] vm/vmss/availability-set update: add --ppg to allowing updating ProximityPlacementGroup * stage * add test * Add help; Support translataion from name to ID * [Compute] vmss create: add --data-disk-iops and --data-disk-mbps (#11797) --data-disk-iops Specify the Read-Write IOPS (space delimited) for the managed disk. Should be used only when StorageAccountType is UltraSSD_LRS. If not specified, a default value would be assigned based on diskSizeGB. --data-disk-mbps Specify the bandwidth in MB per second (space delimited) for the managed disk. Should be used only when StorageAccountType is UltraSSD_LRS. If not specified, a default value would be assigned based on diskSizeGB. * upgrade azure-mgmt-version to 0.16.0 * preview enabled for flexibility * Added --no-wait and list command to the tests * Fixing lint issues * Resolving PR comments * Added transformer to create command * Updated network by syncing with upstream/dev * Removed description from HISTORY * Adding new test for list Co-authored-by: Rohan Doddaiah Shylaja <roshylaj@microsoft.com> Co-authored-by: Zunli Hu <zuh@microsoft.com> Co-authored-by: Feng Zhou <55177366+fengzhou-msft@users.noreply.github.com> Co-authored-by: Yadi Reyes <36422356+yareyes@users.noreply.github.com> Co-authored-by: Sam <samarthmshah@gmail.com> Co-authored-by: Allison Manifold <allisonm@microsoft.com> Co-authored-by: Bin Ma <bim@microsoft.com> Co-authored-by: MyronFanQiu <49134743+MyronFanQiu@users.noreply.github.com> Co-authored-by: Sambit Rath <es15btech11015@iith.ac.in> Co-authored-by: Azure CLI Bot <azclibot@microsoft.com> Co-authored-by: Xing Zhou <Zhou.Xing@microsoft.com> Co-authored-by: shurd <shurd@users.noreply.github.com> Co-authored-by: Avani Gupta <avanigupta@users.noreply.github.com> Co-authored-by: Xiaojian Xu <arrownj@126.com> Co-authored-by: Jiashuo Li <jiasli@microsoft.com> Co-authored-by: Basil Hariri <8660137+basilhariri@users.noreply.github.com> Co-authored-by: Byron Tardif <byvinyal@microsoft.com> Co-authored-by: Jianhui Harold <haroldrandom@gmail.com> Co-authored-by: Sisira Panchagnula <panchagnula@users.noreply.github.com> Co-authored-by: Feiyue Yu <fey@microsoft.com> Co-authored-by: Sean McKenna <seanmck@users.noreply.github.com> Co-authored-by: Ankit Kumar <kumar.ankit55@gmail.com> Co-authored-by: PoAn (Baron) Chen <chen.baron@hotmail.com> Co-authored-by: Matthew Booe <mirdaki@users.noreply.github.com> Co-authored-by: ganga1980 <gangams@microsoft.com> Co-authored-by: MECHANDR <30642185+MECHANDR@users.noreply.github.com> Co-authored-by: Yugang Wang <yugangw@microsoft.com> Co-authored-by: Jared Moore <jaredmoo@microsoft.com> Co-authored-by: Isaac Lee <58575754+Isaac-Lee-msft@users.noreply.github.com> Co-authored-by: Yu Chen <ychenu@microsoft.com> Co-authored-by: W <lixia_lei@outlook.com> Co-authored-by: Sapan Saxena <31940305+anusapan@users.noreply.github.com> Co-authored-by: Feiyue Yu <iamyfy@163.com> Co-authored-by: Shuai Wang <shuawan@microsoft.com> Co-authored-by: Huangli Wu <huanwu@microsoft.com> Co-authored-by: Olga Mirensky <omirensk@redhat.com> Co-authored-by: hytao <hytao@umich.edu> Co-authored-by: libronsh <58980373+libronsh@users.noreply.github.com> Co-authored-by: Min Pae <447317+sputnik13@users.noreply.github.com> Co-authored-by: Devesh Guha Oleti Muni <devesh.oleti@microsoft.com> Co-authored-by: ranisha2 <ranisha@microsoft.com> Co-authored-by: Cristian Klein <cristian@kleinlabs.eu> Co-authored-by: Alfredo Santamaria <chino.sebastian@gmail.com> Co-authored-by: Liming Liu <andyliuliming@outlook.com> Co-authored-by: Chris Eggert <pilor@users.noreply.github.com> Co-authored-by: Steven Gum <14935595+stevengum@users.noreply.github.com> Co-authored-by: Ganesha <ganesha.ashoka@gmail.com> Co-authored-by: giakas <giakas@microsoft.com> Co-authored-by: Gao Ruifeng <gaoruifeng@users.noreply.github.com> Co-authored-by: CHENYI ZHANG <czhang0727@gmail.com>
|
thanks this helped solve following error for us, we received that error when logging in from azure devops pipeline using, we did see a soft warning "argument --tenant is in preview, it may be removed/changed in a future release" <- please keep it 👍🏼 |
|
Hi @mattduguid, glad to know it is working for your, but I didn't really get your point. |
Sorry meant keep the —tenant parameter the message can go, the way it was worded made me think it may not be kept 😉 |
|
Haha, I got it. Sure we will definitely keep |
Inspired by #11351, #11780
In cli core:
get_raw_token: Addtenantparameter to acquire token for the tenant directly, needless to specify a subscription. The structure of the return value is not changed - a(cred, subscription, tenant)tuple, but the second element of the tuple -subscriptionis set toNonefor tenant token for backward compatibility.In command module:
az account get-access-token: Add--tenantparameter to acquire token for the tenant directly, needless to specify a subscription. In that case, the returned JSON doesn't havesubscriptionfield.The returned token can be decoded at https://jwt.ms/ for verification. This is a Microsoft website so there is no security concern to paste the token there. Check the
tidfield for the tenant ID.tenantis only available for user and service principal account, not for MSI or Cloud Shell account, because MSI or Cloud Shell account is a single-tenant account and it is meaningless to explicitly specify a tenant. We error it out for simplicity, otherwise we need to check whether the specified tenant is the home tenant of the account.To test:
az account get-access-token -haz login account get-access-token --tenant {}az ad sp create-for-rbac az login --service-principal -u {} -p {} -t {} az account get-access-token --tenant {}az login --identity az account get-access-token --tenant {}test_get_raw_token_in_cloud_consoleis added to mock Cloud ShellThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR has modified HISTORY.rst describing any customer-facing, functional changes. Note that this does not include changes only to help content. (see Modifying change log).
I adhere to the Command Guidelines.