[Core] PREVIEW: Support MSAL managed identity #31092
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
️✔️AzureCLI-FullTest
|
|
Hi @jiasli, |
️✔️AzureCLI-BreakingChangeTest
|
Collaborator
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
bot
requested review from
yonzhan and
zhoxing-ms
microsoft-github-policy-service
bot
added
the
ARM
microsoft-github-policy-service
bot
added
Account
yonzhan
removed
the
ARM
rayluo
approved these changes
Mar 20, 2025
Member
rayluo
left a comment
rayluo
left a comment
There was a problem hiding this comment.
Overall LGTM. Just adding a minor comment below. Approving.
| self._msal_client = ManagedIdentityClient(SystemAssignedManagedIdentity(), http_client=requests.Session()) | ||
| if client_id or resource_id or object_id: | ||
| managed_identity = UserAssignedManagedIdentity( | ||
| client_id=client_id, resource_id=resource_id, object_id=object_id) |
Member
There was a problem hiding this comment.
note (unblocking)
If there is not exactly one ID being used, a ManagedIdentityError exception will be thrown here. A fyi, in case you would want to catch it and provide your more suitable error message.
Member
Author
There was a problem hiding this comment.
We already check this by ourselves:
azure-cli/src/azure-cli-core/azure/cli/core/_profile.py
Lines 817 to 819 in 17444a3
jiasli
requested review from
bebound,
calvinhzy,
evelyn-ys,
jsntcy,
kairu-ms and
necusjz
as code owners
Member
Author
Bash script to create an Azure VM for testing managed identityThis script does below things:
# Populate below variables
tenant=xxx
sub=xxx
vm=xxx
ssh_key='ssh-rsa AAAAB...'
mi=${vm}mi
rg=${vm}rg
username=azureuser
location=southeastasia
corpnet_prefix=CorpNetPublic
az login --tenant $tenant
az account set -s $sub
az group create -g $rg -l $location
ip=$(az vm create -n $vm -g $rg --image Ubuntu2404 --size Standard_B2s --nsg-rule NONE --admin-username $username --ssh-key-values "$ssh_key" --assign-identity [system] --query publicIpAddress --output tsv)
az network nsg rule create -g $rg --nsg-name "${vm}NSG" -n allow_ssh --priority 100 --source-address-prefixes $corpnet_prefix --destination-port-ranges 22 --direction Inbound --access Allow --protocol Tcp --description "Allow SSH from CorpNet"
vm_object_id=$(az vm identity show -n $vm -g $rg --query principalId --output tsv)
az role assignment create --role Reader --assignee $vm_object_id --scope /subscriptions/$sub
mi_client_id=$(az identity create --name $mi -g $rg --query clientId --output tsv)
az vm identity assign -g $rg -n $vm --identities /subscriptions/$sub/resourcegroups/$rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$mi
az role assignment create --role Reader --assignee $mi_client_id --scope /subscriptions/$sub
echo ssh -L 8000:169.254.169.254:80 -o "StrictHostKeyChecking no" $username@$ip
# Test MI auth
mi_client_id=$(az identity show --name $mi -g $rg --query clientId --output tsv)
mi_object_id=$(az identity show --name $mi -g $rg --query principalId --output tsv)
mi_resource_id=$(az identity show --name $mi -g $rg --query id --output tsv)
echo az login --identity
echo az login --identity --client-id $mi_client_id
echo az login --identity --object-id $mi_object_id
echo az login --identity --resource-id $mi_resource_id
echo az group list
echo az account get-access-token |
evelyn-ys
previously approved these changes
Mar 24, 2025
jiasli
commented
Mar 24, 2025
| subscriptions = subscription_finder.find_using_specific_tenant(tenant, cred) | ||
| base_name = ('{}-{}'.format(identity_type, identity_id) if identity_id else identity_type) | ||
| user = _USER_ASSIGNED_IDENTITY if identity_id else _SYSTEM_ASSIGNED_IDENTITY | ||
| base_name = ('{}-{}'.format(identity_id_type, identity_id_value) if identity_id_value else identity_id_type) |
Member
Author
There was a problem hiding this comment.
The previous variable name identity_type is not accurate. Identity type means systemAssignedIdentity or userAssignedIdentity.
This was referenced Mar 24, 2025
Member
Author
|
Rerun CI after #31115. |
|
Azure Pipelines successfully started running 3 pipeline(s). |
bebound
approved these changes
Mar 24, 2025
Member
Author
|
Rerun CI after #31117. |
|
Azure Pipelines successfully started running 3 pipeline(s). |
evelyn-ys
approved these changes
Mar 25, 2025
jiasli
changed the title
This was referenced Mar 25, 2025
Member
Author
|
MSAL supports below managed identity variations:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related command
az login --identityDescription
Migrating from
msrestazureto MSAL for managed identity authentication (#25959) in one shot can be risky.This PR reuses the code of #29187, #30267 to add a preview of managed identity authentication with MSAL. Run
az config set core.use_msal_managed_identity=trueor set environment variableAZURE_CORE_USE_MSAL_MANAGED_IDENTITY=trueto enable it.Testing Guide
History Notes
[Core] PREVIEW: Support managed identity authentication with MSAL. Run
az config set core.use_msal_managed_identity=trueor set environment variableAZURE_CORE_USE_MSAL_MANAGED_IDENTITY=trueto enable it