Skip to content

{Profile} Add CREDENTIAL_WARNING_MESSAGE for more commands #16222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jiasli merged 2 commits into from
Dec 18, 2020
Merged

{Profile} Add CREDENTIAL_WARNING_MESSAGE for more commands #16222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7030139
Add CREDENTIAL_WARNING_MESSAGE for more commands
jiasli Dec 10, 2020
90276c4
Add help
jiasli Dec 10, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
125 changes: 66 additions & 59 deletions src/azure-cli/azure/cli/command_modules/profile/_help.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,89 +8,96 @@
from knack.help_files import helps # pylint: disable=unused-import

helps['login'] = """
type: command
short-summary: Log in to Azure.
examples:
- name: Log in interactively.
text: >
az login
- name: Log in with user name and password. This doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled. Use -p=secret if the first character of the password is '-'.
text: >
az login -u [email protected] -p VerySecret
- name: Log in with a service principal using client secret. Use -p=secret if the first character of the password is '-'.
text: >
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com
- name: Log in with a service principal using client certificate.
text: >
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com
- name: Log in using a VM's system assigned identity
text: >
az login --identity
- name: Log in using a VM's user assigned identity. Client or object ids of the service identity also work
text: >
az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID
"""
type: command
short-summary: Log in to Azure.
examples:
- name: Log in interactively.
text: >
az login
- name: Log in with user name and password. This doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled. Use -p=secret if the first character of the password is '-'.
text: >
az login -u [email protected] -p VerySecret
- name: Log in with a service principal using client secret. Use -p=secret if the first character of the password is '-'.
text: >
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com
- name: Log in with a service principal using client certificate.
text: >
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com
- name: Log in using a VM's system assigned identity
text: >
az login --identity
- name: Log in using a VM's user assigned identity. Client or object ids of the service identity also work
text: >
az login --identity -u /subscriptions/<subscriptionId>/resourcegroups/myRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myID
"""

helps['account'] = """
type: group
short-summary: Manage Azure subscription information.
type: group
short-summary: Manage Azure subscription information.
"""

helps['account clear'] = """
type: command
short-summary: Clear all subscriptions from the CLI's local cache.
long-summary: To clear the current subscription, use 'az logout'.
type: command
short-summary: Clear all subscriptions from the CLI's local cache.
long-summary: To clear the current subscription, use 'az logout'.
"""

helps['account list'] = """
type: command
short-summary: Get a list of subscriptions for the logged in account.
type: command
short-summary: Get a list of subscriptions for the logged in account.
"""

helps['account list-locations'] = """
type: command
short-summary: List supported regions for the current subscription.
type: command
short-summary: List supported regions for the current subscription.
"""

helps['account show'] = """
type: command
short-summary: Get the details of a subscription.
long-summary: If no subscription is specified, shows the current subscription.
type: command
short-summary: Get the details of a subscription.
long-summary: If no subscription is specified, shows the current subscription.
"""

helps['account set'] = """
type: command
short-summary: Set a subscription to be the current active subscription.
type: command
short-summary: Set a subscription to be the current active subscription.
"""

helps['account show'] = """
Copy link
Member Author

@jiasli jiasli Dec 10, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--sdk-auth should be deprecated for az account show because it is regurgitating the credential which is not a secure practice.

type: command
short-summary: Get the details of a subscription.
long-summary: If the subscription isn't specified, shows the details of the default subscription.
type: command
short-summary: Get the details of a subscription.
long-summary: >-
If the subscription isn't specified, shows the details of the default subscription.


When --sdk-auth is used,
the output includes credentials that you must protect. Be sure that you do not include these credentials
in your code or check the credentials into your source control. As an alternative, consider using
[managed identities](https://aka.ms/azadsp-managed-identities) if available to avoid the need to use credentials.
Comment on lines +73 to +76
Copy link
Member Author

@jiasli jiasli Dec 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Refine the help message of az account show.

"""

helps['account get-access-token'] = """
type: command
short-summary: Get a token for utilities to access Azure.
long-summary: >
The token will be valid for at least 5 minutes with the maximum at 60 minutes.
If the subscription argument isn't specified, the current account is used.
examples:
- name: Get an access token for the current account
text: >
az account get-access-token
- name: Get an access token for a specific subscription
text: >
az account get-access-token --subscription 00000000-0000-0000-0000-000000000000
- name: Get an access token for a specific tenant
text: >
az account get-access-token --tenant 00000000-0000-0000-0000-000000000000
- name: Get an access token to use with MS Graph API
text: >
az account get-access-token --resource-type ms-graph
type: command
short-summary: Get a token for utilities to access Azure.
long-summary: >
The token will be valid for at least 5 minutes with the maximum at 60 minutes.
If the subscription argument isn't specified, the current account is used.
examples:
- name: Get an access token for the current account
text: >
az account get-access-token
- name: Get an access token for a specific subscription
text: >
az account get-access-token --subscription 00000000-0000-0000-0000-000000000000
- name: Get an access token for a specific tenant
text: >
az account get-access-token --tenant 00000000-0000-0000-0000-000000000000
- name: Get an access token to use with MS Graph API
text: >
az account get-access-token --resource-type ms-graph
"""

helps['self-test'] = """
type: command
short-summary: Runs a self-test of the CLI.
type: command
short-summary: Runs a self-test of the CLI.
"""
12 changes: 8 additions & 4 deletions src/azure-cli/azure/cli/command_modules/profile/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,15 @@ def list_subscriptions(cmd, all=False, refresh=False): # pylint: disable=redefi
def show_subscription(cmd, subscription=None, show_auth_for_sdk=None):
import json
profile = Profile(cli_ctx=cmd.cli_ctx)
if not show_auth_for_sdk:
return profile.get_subscription(subscription)

# sdk-auth file should be in json format all the time, hence the print
print(json.dumps(profile.get_sp_auth_info(subscription), indent=2))
if show_auth_for_sdk:
Copy link
Member Author

@jiasli jiasli Dec 10, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverting the not logic as --sdk-auth is the uncommon code path.

from azure.cli.command_modules.role.custom import CREDENTIAL_WARNING_MESSAGE
logger.warning(CREDENTIAL_WARNING_MESSAGE)
# sdk-auth file should be in json format all the time, hence the print
print(json.dumps(profile.get_sp_auth_info(subscription), indent=2))
return

return profile.get_subscription(subscription)


def get_access_token(cmd, subscription=None, resource=None, resource_type=None, tenant=None):
Expand Down
4 changes: 2 additions & 2 deletions src/azure-cli/azure/cli/command_modules/role/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1506,6 +1506,8 @@ def create_service_principal_for_rbac(
ex.response.headers) # pylint: disable=no-member
raise

logger.warning(CREDENTIAL_WARNING_MESSAGE)
Copy link
Member Author

@jiasli jiasli Dec 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Print the warning earlier so that it is printed when show_auth_for_sdk is True.


if show_auth_for_sdk:
from azure.cli.core._profile import Profile
profile = Profile(cli_ctx=cmd.cli_ctx)
Expand All @@ -1527,8 +1529,6 @@ def create_service_principal_for_rbac(
"Please copy %s to a safe place. When you run 'az login', provide the file path in the --password argument",
cert_file)
result['fileWithCertAndPrivateKey'] = cert_file

logger.warning(CREDENTIAL_WARNING_MESSAGE)
return result


Expand Down