Skip to content

[Profile] az login: Add --certificate for authenticating with service principal certificate#30091

Merged
jiasli merged 1 commit intoAzure:devfrom
jiasli:sp-cert
Oct 29, 2024
Merged

[Profile] az login: Add --certificate for authenticating with service principal certificate#30091
jiasli merged 1 commit intoAzure:devfrom
jiasli:sp-cert

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Oct 15, 2024
edited
Loading

Related command
az login

Description
Fix #28839
Require #30090

  1. Add --certificate for authenticating with service principal certificate
  2. Deprecate using --password to pass service principal certificate

Testing Guide

# New way to log in with a certificate
az login --service-principal --username xxx --certificate ~/mycert.pem --tenant xxx

# Logging in with secret should work as before
az login --service-principal --username xxx --password mysecret --tenant xxx

# Old way to log in with a certificate, will show a deprecation warning
az login --service-principal --username xxx --password ~/mycert.pem --tenant xxx

History Notes

[Profile] az login: Passing the service principal certificate with --password is deprecated and will be removed in version 2.67.0. Please use --certificate instead.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Oct 15, 2024
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️acs
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.9
️✔️ams
️✔️latest
️✔️3.12
️✔️3.9
️✔️apim
️✔️latest
️✔️3.12
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️aro
️✔️latest
️✔️3.12
️✔️3.9
️✔️backup
️✔️latest
️✔️3.12
️✔️3.9
️✔️batch
️✔️latest
️✔️3.12
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.9
️✔️billing
️✔️latest
️✔️3.12
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.9
️✔️config
️✔️latest
️✔️3.12
️✔️3.9
️✔️configure
️✔️latest
️✔️3.12
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.9
️✔️container
️✔️latest
️✔️3.12
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.9
️✔️core
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.9
️✔️databoxedge
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️dla
️✔️latest
️✔️3.12
️✔️3.9
️✔️dls
️✔️latest
️✔️3.12
️✔️3.9
️✔️dms
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.9
️✔️find
️✔️latest
️✔️3.12
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.9
️✔️identity
️✔️latest
️✔️3.12
️✔️3.9
️✔️iot
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️keyvault
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️kusto
️✔️latest
️✔️3.12
️✔️3.9
️✔️lab
️✔️latest
️✔️3.12
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️maps
️✔️latest
️✔️3.12
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.9
️✔️network
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.9
️✔️profile
️✔️latest
️✔️3.12
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.9
️✔️redis
️✔️latest
️✔️3.12
️✔️3.9
️✔️relay
️✔️latest
️✔️3.12
️✔️3.9
️✔️resource
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️role
️✔️latest
️✔️3.12
️✔️3.9
️✔️search
️✔️latest
️✔️3.12
️✔️3.9
️✔️security
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.9
️✔️sql
️✔️latest
️✔️3.12
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.9
️✔️storage
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.9
️✔️telemetry
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️util
️✔️latest
️✔️3.12
️✔️3.9
️✔️vm
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Oct 15, 2024
edited
Loading

⚠️AzureCLI-BreakingChangeTest
⚠️profile
rule cmd_name rule_message suggest_message
⚠️ 1006 - ParaAdd login cmd login added parameter certificate

@yonzhan
Copy link
Collaborator

yonzhan commented Oct 15, 2024
edited
Loading

az login refinement

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Oct 15, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Account az login/account label Oct 15, 2024
@jiasli jiasli mentioned this pull request Oct 15, 2024
Merged
jiasli
jiasli commented Oct 15, 2024
View reviewed changes
src/azure-cli/azure/cli/command_modules/profile/__init__.py Outdated
# Service principal
c.argument('service_principal', action='store_true',
help='Log in with a service principal.')
c.argument('certificate', help='A PEM file with key and public certificate.')
Copy link
Member Author

@jiasli jiasli Oct 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am hesitating on whether --certificate should have an alias -c. Using full name is definitely preferred.

Copy link
Contributor

@dcaro dcaro Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can add a parameter in the future, let's keep --certificate for now.

jiasli
jiasli commented Oct 15, 2024
View reviewed changes
src/azure-cli-core/azure/cli/core/auth/identity.py Outdated
Comment on lines +41 to +43
PASSWORD_CERTIFICATE_WARNING = (
"Using --password to pass service principal certificate is deprecated and will be removed in a "
"future release. Use --certificate instead.")
Copy link
Member Author

@jiasli jiasli Oct 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please kindly rephase the warning message. @dcaro @dbradish-microsoft

Copy link
Contributor

@dcaro dcaro Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
PASSWORD_CERTIFICATE_WARNING = (
"Using --password to pass service principal certificate is deprecated and will be removed in a "
"future release. Use --certificate instead.")
PASSWORD_CERTIFICATE_WARNING = (
"Passing the service principal certificate with `--password` is deprecated and will be removed in a future release. Please use `--certificate` instead.")

Copy link
Member Author

@jiasli jiasli Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. Shall we be explicit on "a future release"?

Copy link
Collaborator

@yonzhan yonzhan Oct 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the next breaking change release is very close, shall we give customers more time to see this warning message?

Copy link
Contributor

@dcaro dcaro Oct 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, let's give sufficient time for customers to notice the warning message

dcaro
dcaro reviewed Oct 16, 2024
View reviewed changes
Copy link
Contributor

@dcaro dcaro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my suggestion

src/azure-cli/azure/cli/command_modules/profile/__init__.py Outdated
# Service principal
c.argument('service_principal', action='store_true',
help='Log in with a service principal.')
c.argument('certificate', help='A PEM file with key and public certificate.')
Copy link
Contributor

@dcaro dcaro Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can add a parameter in the future, let's keep --certificate for now.

src/azure-cli-core/azure/cli/core/auth/identity.py Outdated
Comment on lines +41 to +43
PASSWORD_CERTIFICATE_WARNING = (
"Using --password to pass service principal certificate is deprecated and will be removed in a "
"future release. Use --certificate instead.")
Copy link
Contributor

@dcaro dcaro Oct 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
PASSWORD_CERTIFICATE_WARNING = (
"Using --password to pass service principal certificate is deprecated and will be removed in a "
"future release. Use --certificate instead.")
PASSWORD_CERTIFICATE_WARNING = (
"Passing the service principal certificate with `--password` is deprecated and will be removed in a future release. Please use `--certificate` instead.")

evelyn-ys
evelyn-ys reviewed Oct 25, 2024
View reviewed changes
src/azure-cli/azure/cli/command_modules/profile/custom.py

if username:
if not (password or client_assertion):
if not (password or client_assertion or certificate):
Copy link
Member

@evelyn-ys evelyn-ys Oct 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shall we also add certificate check in

azure-cli/src/azure-cli/azure/cli/command_modules/profile/custom.py

Lines 123 to 126 in 6c32c4d

if any([password, service_principal, tenant]) and identity:
raise CLIError("usage error: '--identity' is not applicable with other arguments")
if any([password, service_principal, username, identity]) and use_device_code:
raise CLIError("usage error: '--use-device-code' is not applicable with other arguments")

Copy link
Member Author

@jiasli jiasli Oct 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, as missing all 3 types of credentials will result in prompting for secrets.

Copy link
Member

@evelyn-ys evelyn-ys Oct 28, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, if user pass in --certificate together with --identity/--use-device-code, we should raise error as well, right?

Copy link
Member Author

@jiasli jiasli Oct 28, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--certificate will be discarded in that case. As you can see, client_assertion is not checked either. We can do that in a separate PR.

jiasli
jiasli commented Oct 25, 2024
View reviewed changes
src/azure-cli/azure/cli/command_modules/profile/custom.py

if service_principal:
from azure.cli.core.auth.identity import ServicePrincipalAuth
password = ServicePrincipalAuth.build_credential(password, client_assertion, use_cert_sn_issuer)
Copy link
Member Author

@jiasli jiasli Oct 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Passing keyword arguments as positional arguments is fragile and may break unexpectedly.

Copy link
Contributor

@dcaro dcaro Oct 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, I am not a big fan of positional arguments in general.

@jiasli jiasli marked this pull request as ready for review October 25, 2024 10:05
evelyn-ys
evelyn-ys previously approved these changes Oct 28, 2024
View reviewed changes
dcaro
dcaro reviewed Oct 28, 2024
View reviewed changes
@jiasli jiasli merged commit 250d6db into Azure:dev Oct 29, 2024
@jiasli jiasli deleted the sp-cert branch October 29, 2024 08:25
@jikuja
Copy link

jikuja commented Nov 8, 2024

azure-cli/src/azure-cli/azure/cli/command_modules/role/custom.py

Line 1305 in b976aa4

"Please copy %s to a safe place. When you run 'az login', provide the file path in the --password argument",

That should be also updates for this

@jiasli jiasli mentioned this pull request Nov 11, 2024
Merged
@jiasli
Copy link
Member Author

jiasli commented Nov 11, 2024

Thank you @jikuja. This is a nice catch. I am making this change in #30277.

@bebound bebound mentioned this pull request Nov 11, 2024
Merged
3 tasks
@jiasli jiasli mentioned this pull request Nov 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dcaro dcaro dcaro left review comments

@bebound bebound bebound approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@yonzhan yonzhan Awaiting requested review from yonzhan

@calvinhzy calvinhzy Awaiting requested review from calvinhzy

Assignees

@jiasli jiasli

Labels

Account az login/account Auto-Assign Auto assign by bot

Projects

None yet

Milestone

October 2024 (2024-11-11)

Development

Successfully merging this pull request may close these issues.

Leak of az secrets in file system system calls

6 participants

@jiasli @yonzhan @jikuja @bebound @dcaro @evelyn-ys