Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Core] Support getting SSH certificate inside Cloud Shell #22162

Merged
merged 8 commits into from
May 19, 2022
Merged

[Core] Support getting SSH certificate inside Cloud Shell #22162

merged 8 commits into from
May 19, 2022

Conversation

rayluo
Copy link
Member

@rayluo rayluo commented Apr 22, 2022
edited by jiasli
Loading

Close #22063

This is a proof-of-concept to acquire SSH Cert from inside Cloud Shell.

Prerequisite: An MSAL prototype from this PR AzureAD/microsoft-authentication-library-for-python#420

@jiasli

@rayluo rayluo mentioned this pull request Apr 22, 2022
Closed
@yonzhan
Copy link
Collaborator

yonzhan commented Apr 23, 2022

PoC of support SSH Cert

@jiasli jiasli changed the title A PoC of support SSH Cert inside Cloud Shell [Core] Support getting SSH certificate inside Cloud Shell May 13, 2022
@jiasli
Merge remote-tracking branch 'azure/dev' into cloudshell-imds
a92447e 
# Conflicts:
#	src/azure-cli-core/setup.py
#	src/azure-cli/requirements.py3.Linux.txt
@jiasli
error handling
fdeb53f
@jiasli
Copy link
Member

jiasli commented May 18, 2022

My test steps in Cloud Shell:

python -m venv cli-env
. cli-env/bin/activate

git clone https://github.com/Azure/azure-cli
cd azure-cli
git checkout cloudshell-imds

pip install -U pip
pip install azdev
azdev setup -c

# Working, in sub ae43b1e3-c35d-4c8c-bc0d-f148b4c52b78
az ssh vm -g rayluo-eastus2 -n LinuxVM

# Not working, in sub 0b1f6471-1bf0-4dda-aec3-cb9272f09590
az ssh vm -g jiasli-ssh-rg -n jiasli-ssh2
# output
A Cloud Shell credential problem occurred. When you report the issue with the error below, please mention the hostname 'cc-f29c4d42-7cd5855d5c-gpgrf'
token_type ssh-cert is not supported by this version of Azure Portal
Please explicitly log in with:
az login --scope https://pas.windows.net/CheckMyAccess/Linux/.default

rayluo
rayluo commented May 18, 2022
View reviewed changes
src/azure-cli-core/azure/cli/core/auth/adal_authentication.py
Comment on lines +25 to +34
import msal
from .util import check_result, build_sdk_access_token
from .identity import AZURE_CLI_CLIENT_ID
app = msal.PublicClientApplication(
AZURE_CLI_CLIENT_ID, # Use a real client_id, so that cache would work
# TODO: This PoC does not currently maintain a token cache;
# Ideally we should reuse the real MSAL app object which has cache configured.
# token_cache=...,
)
result = app.acquire_token_interactive(list(scopes), prompt="none", data=kwargs["data"])
Copy link
Member Author

@rayluo rayluo May 18, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the real central MSAL instance is somehow available here, I think we can reuse it, so that its already configured token_cache behavior will automatically be used to store SSH certs, and then this section can probably be refactored into something like below.

However, you do NOT have to make this change in this PR. We can merge this PR as-is (perhaps after MSAL 1.18 ships?) and postpone this cache improvement to a later date.

Suggested change
import msal
from .util import check_result, build_sdk_access_token
from .identity import AZURE_CLI_CLIENT_ID
app = msal.PublicClientApplication(
AZURE_CLI_CLIENT_ID, # Use a real client_id, so that cache would work
# TODO: This PoC does not currently maintain a token cache;
# Ideally we should reuse the real MSAL app object which has cache configured.
# token_cache=...,
)
result = app.acquire_token_interactive(list(scopes), prompt="none", data=kwargs["data"])
from .util import check_result, build_sdk_access_token
app = somehow_get_the_central_app_that_already_initialized() # TODO
result = app.acquire_token_silent_with_error(list(scopes), data=kwargs["data"])
if result is None or "error" in result:
result = app.acquire_token_interactive(list(scopes), prompt="none", data=kwargs["data"])

@jiasli
Copy link
Member

jiasli commented May 19, 2022

Tested MSAL released to https://test.pypi.org/project/msal/ and it works well!

pip install --index-url https://test.pypi.org/simple/ msal==1.18.0b1

@jiasli jiasli marked this pull request as ready for review May 19, 2022 08:40
rayluo
rayluo commented May 19, 2022
View reviewed changes
Copy link
Member Author

@rayluo rayluo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great team work! Ship it! #Approve

@jiasli jiasli merged commit a179344 into dev May 19, 2022
@jiasli jiasli deleted the cloudshell-imds branch May 19, 2022 14:22
@jiasli jiasli mentioned this pull request May 23, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jiasli jiasli jiasli approved these changes

@evelyn-ys evelyn-ys Awaiting requested review from evelyn-ys evelyn-ys is a code owner

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

@wangzelin007 wangzelin007 Awaiting requested review from wangzelin007 wangzelin007 is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan

@SanDeo-MSFT SanDeo-MSFT Awaiting requested review from SanDeo-MSFT

Assignees

@jiasli jiasli

Labels
None yet
Projects
None yet
Milestone
May 2022 (2022-05-24) - For Build
Development

Successfully merging this pull request may close these issues.

Single Click SSH in Azure Cloud Shell
3 participants
@rayluo @yonzhan @jiasli