Skip to content

[Profile] Fix "missing secret or certificate in order to authenticate through a service principal" #16219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiasli merged 2 commits into from
Dec 24, 2020
Merged

[Profile] Fix "missing secret or certificate in order to authenticate through a service principal" #16219

jiasli merged 2 commits into from
Dec 24, 2020

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Dec 10, 2020

Description

After logging in with a Service Principal using a certificate, 2 commands

  • az account show --sdk-auth
  • az account list --refresh

will fail with

missing secret or certificate in order to authenticate through a service principal

This is because retrieve_secret_of_service_principal can only return a secret, but None for certificateFile, causing subsequent ServicePrincipalAuth instantiation to fail due to the lack of password_arg_value.

This PR fixes these commands by:

  • Rename retrieve_secret_of_service_principal to retrieve_cred_for_service_principal to reflect its actual functionality.
  • Let retrieve_cred_for_service_principal return secret or certificateFile of the Service Principal so that ServicePrincipalAuth gets what it needs.

Testing Guide

To repro:

> az ad sp create-for-rbac --create-cert --skip-assignment --sdk-auth
{
    "clientId": "9bf154b1-c29b-4aeb-804a-0a1f8a9bac4c",
    "clientCertificate": "C:\\Users\\username\\tmp6yoosff6.pem",
    "subscriptionId": "0b1f6471-1bf0-4dda-aec3-cb9272f09590",
    "tenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
    "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
    "resourceManagerEndpointUrl": "https://management.azure.com/",
    "activeDirectoryGraphResourceId": "https://graph.windows.net/",
    "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
    "galleryEndpointUrl": "https://gallery.azure.com/",
    "managementEndpointUrl": "https://management.core.windows.net/"
}

> az login --service-principal 
           --username "9bf154b1-c29b-4aeb-804a-0a1f8a9bac4c" 
           --password "C:\Users\username\tmp6yoosff6.pem"
           --tenant "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a"
           --allow-no-subscriptions

> az account show --sdk-auth
missing secret or certificate in order to authenticate through a service principal

> az account list --refresh
Refreshing for '9bf154b1-c29b-4aeb-804a-0a1f8a9bac4c' failed with an error 'missing secret or certificate 
in order to authenticate through a service principal'. The existing accounts were not modified. You can run 
'az login' later to explicitly refresh them

After the fix:

> az account show --sdk-auth
{
  "clientId": "9bf154b1-c29b-4aeb-804a-0a1f8a9bac4c",
  "clientCertificate": "C:\\Users\\username\\tmp6yoosff6.pem",
  "subscriptionId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
  "tenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}

> az account list --refresh
[
  {
    "cloudName": "AzureCloud",
    "id": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
    "isDefault": true,
    "name": "N/A(tenant level account)",
    "state": "Enabled",
    "tenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
    "user": {
      "name": "9bf154b1-c29b-4aeb-804a-0a1f8a9bac4c",
      "type": "servicePrincipal"
    }
  }
]

@yonzhan yonzhan added this to the S180 milestone Dec 10, 2020
@yonzhan
Copy link
Collaborator

yonzhan commented Dec 10, 2020

Profile

jiasli
jiasli commented Dec 10, 2020
View reviewed changes
src/azure-cli-core/azure/cli/core/_profile.py
return (token_entry[_TOKEN_ENTRY_TOKEN_TYPE], token_entry[_ACCESS_TOKEN], token_entry)

def retrieve_secret_of_service_principal(self, sp_id):
def retrieve_cred_for_service_principal(self, sp_id):
Copy link
Member Author

@jiasli jiasli Dec 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Replace of with for to be in sync with retrieve_token_for_service_principal.

@jiasli
Copy link
Member Author

jiasli commented Dec 10, 2020

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Dec 10, 2020

Azure Pipelines successfully started running 2 pipeline(s).

@jiasli jiasli merged commit e5eefd2 into Azure:dev Dec 24, 2020
@jiasli jiasli deleted the sp-cert branch December 24, 2020 07:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@fengzhou-msft fengzhou-msft Awaiting requested review from fengzhou-msft

@haroldrandom haroldrandom Awaiting requested review from haroldrandom

@houk-ms houk-ms Awaiting requested review from houk-ms

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@Juliehzl Juliehzl Awaiting requested review from Juliehzl

Assignees

@jiasli jiasli

Labels

None yet

Projects

None yet

Milestone

S180

Development

Successfully merging this pull request may close these issues.

3 participants

@jiasli @yonzhan @evelyn-ys