diff --git a/src/azure-cli-core/azure/cli/core/auth/identity.py b/src/azure-cli-core/azure/cli/core/auth/identity.py index 4fb3d5e7d17..97b3fee9af1 100644 --- a/src/azure-cli-core/azure/cli/core/auth/identity.py +++ b/src/azure-cli-core/azure/cli/core/auth/identity.py @@ -22,6 +22,13 @@ AZURE_CLI_CLIENT_ID = '04b07795-8ddb-461a-bbee-02f9e1bf7b46' +# For environment credential +AZURE_AUTHORITY_HOST = "AZURE_AUTHORITY_HOST" +AZURE_TENANT_ID = "AZURE_TENANT_ID" +AZURE_CLIENT_ID = "AZURE_CLIENT_ID" +AZURE_CLIENT_SECRET = "AZURE_CLIENT_SECRET" + + logger = get_logger(__name__) @@ -346,3 +353,23 @@ def _try_remove(path): os.remove(path) except FileNotFoundError: pass + + +def get_environment_credential(): + # A temporary workaround used by rdbms module to use environment credential. + # TODO: Integrate with Identity and utilize MSAL HTTP and token cache to officially implement + # https://github.com/Azure/azure-cli/issues/10241 + from os import getenv + + sp_auth = ServicePrincipalAuth({ + _TENANT: getenv(AZURE_TENANT_ID), + _CLIENT_ID: getenv(AZURE_CLIENT_ID), + _CLIENT_SECRET: getenv(AZURE_CLIENT_SECRET) + }) + + authority, _ = _get_authority_url( + # Override authority host if defined as env var + getenv(AZURE_AUTHORITY_HOST) or 'https://login.microsoftonline.com', + getenv(AZURE_TENANT_ID)) + credentials = ServicePrincipalCredential(sp_auth, authority=authority) + return credentials diff --git a/src/azure-cli-core/azure/cli/core/tests/test_profile.py b/src/azure-cli-core/azure/cli/core/tests/test_profile.py index 1991de6cd13..a5c32141b7c 100644 --- a/src/azure-cli-core/azure/cli/core/tests/test_profile.py +++ b/src/azure-cli-core/azure/cli/core/tests/test_profile.py @@ -14,7 +14,6 @@ _transform_subscription_for_multiapi) from azure.cli.core.auth.util import AccessToken from azure.cli.core.mock import DummyCli -from azure.identity import AuthenticationRecord from azure.mgmt.resource.subscriptions.models import \ (Subscription, SubscriptionPolicies, SpendingLimit, ManagedByTenant) @@ -94,9 +93,6 @@ def setUpClass(cls): cls.display_name1 = 'foo account' cls.home_account_id = "00000003-0000-0000-0000-000000000000.00000003-0000-0000-0000-000000000000" cls.client_id = "00000003-0000-0000-0000-000000000000" - cls.authentication_record = AuthenticationRecord(cls.tenant_id, cls.client_id, - "https://login.microsoftonline.com", cls.home_account_id, - cls.user1) cls.state1 = 'Enabled' cls.managed_by_tenants = [ManagedByTenantStub('00000003-0000-0000-0000-000000000000'), ManagedByTenantStub('00000004-0000-0000-0000-000000000000')] diff --git a/src/azure-cli/azure/cli/command_modules/rdbms/_client_factory.py b/src/azure-cli/azure/cli/command_modules/rdbms/_client_factory.py index 8d0d265991e..3f8ee0109fe 100644 --- a/src/azure-cli/azure/cli/command_modules/rdbms/_client_factory.py +++ b/src/azure-cli/azure/cli/command_modules/rdbms/_client_factory.py @@ -5,14 +5,12 @@ from azure.cli.core.commands.client_factory import get_mgmt_service_client from azure.cli.core.profiles import ResourceType +from azure.cli.core.auth.identity import get_environment_credential, AZURE_CLIENT_ID # pylint: disable=import-outside-toplevel RM_URI_OVERRIDE = 'AZURE_CLI_RDBMS_RM_URI' SUB_ID_OVERRIDE = 'AZURE_CLI_RDBMS_SUB_ID' -CLIENT_ID = 'AZURE_CLIENT_ID' -TENANT_ID = 'AZURE_TENANT_ID' -CLIENT_SECRET = 'AZURE_CLIENT_SECRET' def get_mariadb_management_client(cli_ctx, **_): @@ -24,13 +22,9 @@ def get_mariadb_management_client(cli_ctx, **_): # variable. rm_uri_override = getenv(RM_URI_OVERRIDE) if rm_uri_override: - client_id = getenv(CLIENT_ID) + client_id = getenv(AZURE_CLIENT_ID) if client_id: - from azure.identity import ClientSecretCredential - credentials = ClientSecretCredential( - client_id=client_id, - client_secret=getenv(CLIENT_SECRET), - tenant_id=getenv(TENANT_ID)) + credentials = get_environment_credential() else: from msrest.authentication import Authentication # pylint: disable=import-error credentials = Authentication() @@ -52,13 +46,9 @@ def get_mysql_management_client(cli_ctx, **_): # variable. rm_uri_override = getenv(RM_URI_OVERRIDE) if rm_uri_override: - client_id = getenv(CLIENT_ID) + client_id = getenv(AZURE_CLIENT_ID) if client_id: - from azure.identity import ClientSecretCredential - credentials = ClientSecretCredential( - client_id=client_id, - client_secret=getenv(CLIENT_SECRET), - tenant_id=getenv(TENANT_ID)) + credentials = get_environment_credential() else: from msrest.authentication import Authentication # pylint: disable=import-error credentials = Authentication() @@ -80,13 +70,9 @@ def get_mysql_flexible_management_client(cli_ctx, **_): # variable. rm_uri_override = getenv(RM_URI_OVERRIDE) if rm_uri_override: - client_id = getenv(CLIENT_ID) + client_id = getenv(AZURE_CLIENT_ID) if client_id: - from azure.identity import ClientSecretCredential - credentials = ClientSecretCredential( - client_id=client_id, - client_secret=getenv(CLIENT_SECRET), - tenant_id=getenv(TENANT_ID)) + credentials = get_environment_credential() else: from msrest.authentication import Authentication # pylint: disable=import-error credentials = Authentication() @@ -108,13 +94,9 @@ def get_postgresql_management_client(cli_ctx, **_): # variable. rm_uri_override = getenv(RM_URI_OVERRIDE) if rm_uri_override: - client_id = getenv(CLIENT_ID) + client_id = getenv(AZURE_CLIENT_ID) if client_id: - from azure.identity import ClientSecretCredential - credentials = ClientSecretCredential( - client_id=client_id, - client_secret=getenv(CLIENT_SECRET), - tenant_id=getenv(TENANT_ID)) + credentials = get_environment_credential() else: from msrest.authentication import Authentication # pylint: disable=import-error credentials = Authentication() @@ -135,13 +117,9 @@ def get_postgresql_flexible_management_client(cli_ctx, **_): # variable. rm_uri_override = getenv(RM_URI_OVERRIDE) if rm_uri_override: - client_id = getenv(CLIENT_ID) + client_id = getenv(AZURE_CLIENT_ID) if client_id: - from azure.identity import ClientSecretCredential - credentials = ClientSecretCredential( - client_id=client_id, - client_secret=getenv(CLIENT_SECRET), - tenant_id=getenv(TENANT_ID)) + credentials = get_environment_credential() else: from msrest.authentication import Authentication # pylint: disable=import-error credentials = Authentication() diff --git a/src/azure-cli/requirements.py3.Darwin.txt b/src/azure-cli/requirements.py3.Darwin.txt index 1fc217f46ee..b2a2c53cea3 100644 --- a/src/azure-cli/requirements.py3.Darwin.txt +++ b/src/azure-cli/requirements.py3.Darwin.txt @@ -13,7 +13,6 @@ azure-cosmos==3.2.0 azure-data-tables==12.2.0 azure-datalake-store==0.0.49 azure-graphrbac==0.60.0 -azure-identity==1.6.1 azure-keyvault-administration==4.0.0b3 azure-keyvault-keys==4.5.0 azure-keyvault==1.1.0 diff --git a/src/azure-cli/requirements.py3.Linux.txt b/src/azure-cli/requirements.py3.Linux.txt index 5b50d72e555..0cc45b0eeaa 100644 --- a/src/azure-cli/requirements.py3.Linux.txt +++ b/src/azure-cli/requirements.py3.Linux.txt @@ -13,7 +13,6 @@ azure-cosmos==3.2.0 azure-data-tables==12.2.0 azure-datalake-store==0.0.49 azure-graphrbac==0.60.0 -azure-identity==1.6.1 azure-keyvault-administration==4.0.0b3 azure-keyvault-keys==4.5.0 azure-keyvault==1.1.0 diff --git a/src/azure-cli/requirements.py3.windows.txt b/src/azure-cli/requirements.py3.windows.txt index 835a6fe8bf2..6937c2c62ad 100644 --- a/src/azure-cli/requirements.py3.windows.txt +++ b/src/azure-cli/requirements.py3.windows.txt @@ -13,7 +13,6 @@ azure-cosmos==3.2.0 azure-data-tables==12.2.0 azure-datalake-store==0.0.49 azure-graphrbac==0.60.0 -azure-identity==1.6.1 azure-keyvault-administration==4.0.0b3 azure-keyvault-keys==4.5.0 azure-keyvault==1.1.0 diff --git a/src/azure-cli/setup.py b/src/azure-cli/setup.py index ce648506b91..42bacabb546 100644 --- a/src/azure-cli/setup.py +++ b/src/azure-cli/setup.py @@ -59,7 +59,6 @@ 'azure-data-tables==12.2.0', 'azure-datalake-store~=0.0.49', 'azure-graphrbac~=0.60.0', - 'azure-identity', 'azure-keyvault-administration==4.0.0b3', 'azure-keyvault-keys==4.5.0', 'azure-keyvault~=1.1.0',