Skip to content

{Role} Keep --sdk-auth, for now#19872

Merged
jiasli merged 2 commits intoAzure:devfrom
jiasli:sdk-auth
Oct 15, 2021
Merged

{Role} Keep --sdk-auth, for now#19872
jiasli merged 2 commits intoAzure:devfrom
jiasli:sdk-auth

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Oct 13, 2021

Require #19853

Context

Even though we have announced the deprecation of --sdk-auth in #19414 since Python SDK has deprecated the usage of the output JSON file, there are still other places when this JSON file is used, like

  1. GitHub Actions (https://github.com/Azure/github/issues/104#issuecomment-941920571): https://github.com/Azure/login/blob/master/README.md#configure-deployment-credentials:
  2. https://github.com/MicrosoftDocs/azure-devops-docs/blob/master/docs/pipelines/targets/azure-stack.md#create-or-validate-your-spn
  3. https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/azure-netapp-files/azacsnap-installation.md#azure-netapp-files-with-virtual-machine
  4. https://github.com/MicrosoftDocs/azure-stack-docs/blob/master/azure-stack/user/ci-cd-github-action-webapp.md#get-service-principal

Change

Thus the deprecation is delayed and --sdk-auth is brought back for now.

Security concerns

az account show --sdk-auth compromises the security of MSAL's encrypted service principal credential store, as it can "spit out" / echo the original service principal secrets. This is not a secure behavior - consider you can see your password after you login to Windows or https://outlook.live.com/.

Testing guide

  • az ad sp create-for-rbac --sdk-auth
  • az account show --sdk-auth

References

@yonzhan
Copy link
Collaborator

yonzhan commented Oct 13, 2021
edited
Loading

Bring back --sdk-auth

@yonzhan yonzhan added this to the Oct 2021 (2021-11-02) milestone Oct 13, 2021
@jiasli jiasli added the MSAL label Oct 13, 2021
@jiasli jiasli requested a review from yonzhan October 15, 2021 06:14
@jiasli jiasli changed the title {Role} Bring back --sdk-auth, for now {Role} Keep --sdk-auth, for now Oct 15, 2021
@jiasli jiasli merged commit 802f581 into Azure:dev Oct 15, 2021
@jiasli jiasli deleted the sdk-auth branch October 15, 2021 07:43
@stevendborrelli stevendborrelli mentioned this pull request Jan 3, 2022
Open
4 tasks
@jiasli
Copy link
Member Author

jiasli commented Feb 7, 2022

The output of --sdk-auth is also used by Application Gateway Ingress Controller (AGIC):

https://docs.microsoft.com/en-us/azure/application-gateway/ingress-controller-install-existing#using-a-service-principal

@galiacheng
Copy link

galiacheng commented Feb 7, 2022

Thank you @jiasli Glad to see --sdk-auth back! Java EE on Azure team is using sdk-auth format service principal to install AGIC for Azure WebLogic on AKS offer.

@jiasli
Copy link
Member Author

jiasli commented Feb 7, 2022

Migration

With --sdk-auth option vs without it, the JSON keys are different (e.g. --sdk-auth gives clientId while without it, you get appId).

For tools that consume the output of --sdk-auth, you may translate the JSON output of az ad sp create-for-rbac to match az ad sp create-for-rbac --sdk-auth:

  • appId -> clientId
  • password -> clientSecret
  • tenant -> tenantId
  • add subscriptionId

Without --sdk-auth:

> az ad sp create-for-rbac

{
  "appId": "21ec2946-231c-480f-86c7-824b215326a4",
  "displayName": "azure-cli-2022-02-07-07-07-00",
  "password": "...",
  "tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a"
}

With --sdk-auth:

> az ad sp create-for-rbac --sdk-auth
{
  "clientId": "<appId>",
  "clientSecret": "<password>",
  "subscriptionId": "...",
  "tenantId": "<tenant>",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}

Originally posted by @erik-ha-msft in Azure/aks-set-context#40 (comment)

@jiasli jiasli mentioned this pull request Feb 8, 2022
Merged
@jiasli jiasli mentioned this pull request May 7, 2022
Open
@MoChilia MoChilia mentioned this pull request May 31, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@calvinhzy calvinhzy calvinhzy approved these changes

@yonzhan yonzhan yonzhan approved these changes

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms

Assignees

@jiasli jiasli

Labels

MSAL

Projects

None yet

Milestone

Oct 2021 (2021-11-02) - For Ignite

Development

Successfully merging this pull request may close these issues.

5 participants

@jiasli @yonzhan @galiacheng @evelyn-ys @calvinhzy