Skip to content

[Core] Allow authentication via environment variables #27938

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
VoxSecundus wants to merge 8 commits into
base: dev
Choose a base branch
from
Open

[Core] Allow authentication via environment variables #27938

VoxSecundus wants to merge 8 commits into from

Conversation

@VoxSecundus
Copy link

@VoxSecundus VoxSecundus commented Nov 28, 2023
edited
Loading

Related command

az

All commands that require the user to be logged in.

Description

Addresses #10241

This PR updates the _profile and auth/identity azure-cli-core classes to support authenticate for service principals via environment variables, without having to run az login first. When logged in with az login, any credentials specified as environment variables are ignored.

New variables:

Variable name Description
AZURE_SUBSCRIPTION_ID Subscription ID to use for command scope. Can be overridden with --subscription.
AZURE_TENANT_ID Microsoft Entra application's tenant ID.
AZURE_CLIENT_ID Microsoft Entra application ID.
AZURE_CLIENT_SECRET Secret for given application.

Testing Guide

In a Bash terminal:

  • Register an app:
$ az ad sp create-for-rbac
  • Set credentials and subscription:
$ export AZURE_CLIENT_ID="<redacted>"
$ export AZURE_CLIENT_SECRET="<redacted>"
$ export AZURE_TENANT_ID="<redacted>"
$ export AZURE_SUBSCRIPTION_ID="<redacted>"
  • Use az commands as usual:
$ az vm list
[
  {
    ...
  },
  ...
]

$ az account show
{
  "id": null,
  "name": "Environment Variable Subscription",
  "tenantId": "<redacted>",
  "user": {
    "name": "<redacted>",
    "type": "servicePrincipal"
  }
}

$ az account get-access-token
{
  "accessToken": "<redacted>",
  "expiresOn": "2023-11-28 18:51:46.000000",
  "expires_on": 1701197506,
  "subscription": "None",
  "tenant": "<redacted>",
  "tokenType": "Bearer"
}

History Notes

N/A

This checklist is used to make sure that common guidelines for a pull request are followed.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Nov 28, 2023
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️acs
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.11
️✔️3.9
️✔️ams
️✔️latest
️✔️3.11
️✔️3.9
️✔️apim
️✔️latest
️✔️3.11
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.11
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.11
️✔️3.9
️✔️aro
️✔️latest
️✔️3.11
️✔️3.9
️✔️backup
️✔️latest
️✔️3.11
️✔️3.9
️✔️batch
️✔️latest
️✔️3.11
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.11
️✔️3.9
️✔️billing
️✔️latest
️✔️3.11
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.11
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.11
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.11
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.11
️✔️3.9
️✔️config
️✔️latest
️✔️3.11
️✔️3.9
️✔️configure
️✔️latest
️✔️3.11
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.11
️✔️3.9
️✔️container
️✔️latest
️✔️3.11
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.11
️✔️3.9
️✔️core
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.11
️✔️3.9
️✔️databoxedge
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️dla
️✔️latest
️✔️3.11
️✔️3.9
️✔️dls
️✔️latest
️✔️3.11
️✔️3.9
️✔️dms
️✔️latest
️✔️3.11
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.11
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.11
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.11
️✔️3.9
️✔️find
️✔️latest
️✔️3.11
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.11
️✔️3.9
️✔️identity
️✔️latest
️✔️3.11
️✔️3.9
️✔️iot
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️keyvault
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️kusto
️✔️latest
️✔️3.11
️✔️3.9
️✔️lab
️✔️latest
️✔️3.11
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.11
️✔️3.9
️✔️maps
️✔️latest
️✔️3.11
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.11
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.11
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.11
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.11
️✔️3.9
️✔️network
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.11
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.11
️✔️3.9
️✔️profile
️✔️latest
️✔️3.11
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.11
️✔️3.9
️✔️redis
️✔️latest
️✔️3.11
️✔️3.9
️✔️relay
️✔️latest
️✔️3.11
️✔️3.9
️✔️resource
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️role
️✔️latest
️✔️3.11
️✔️3.9
️✔️search
️✔️latest
️✔️3.11
️✔️3.9
️✔️security
️✔️latest
️✔️3.11
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.11
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.11
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.11
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.11
️✔️3.9
️✔️sql
️✔️latest
️✔️3.11
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.11
️✔️3.9
️✔️storage
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.11
️✔️3.9
️✔️telemetry
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9
️✔️util
️✔️latest
️✔️3.11
️✔️3.9
️✔️vm
️✔️2018-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.11
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.11
️✔️3.9
️✔️latest
️✔️3.11
️✔️3.9

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Nov 28, 2023
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Collaborator

yonzhan commented Nov 28, 2023

Core

@microsoft-github-policy-service microsoft-github-policy-service bot added the customer-reported Issues that are reported by GitHub users external to the Azure organization. label Nov 28, 2023
@microsoft-github-policy-service
Copy link
Contributor

microsoft-github-policy-service bot commented Nov 28, 2023

Thank you for your contribution VoxSecundus! We will review the pull request and get back to you soon.

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Nov 28, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added Compute az vm/vmss/image/disk/snapshot ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group labels Nov 28, 2023
@microsoft-github-policy-service microsoft-github-policy-service bot added Account az login/account Core CLI core infrastructure Graph az ad labels Nov 28, 2023
@VoxSecundus
Copy link
Author

VoxSecundus commented Nov 28, 2023

@microsoft-github-policy-service agree company="Alces Flight Ltd"

jiasli
jiasli reviewed Nov 29, 2023
View reviewed changes
src/azure-cli-core/azure/cli/core/util.py Outdated
Comment on lines 1357 to 1363
def is_guid(guid):
import uuid
try:
uuid.UUID(guid)
return True
except (ValueError, TypeError):
return False
Copy link
Member

@jiasli jiasli Nov 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function is already defined at

azure-cli/src/azure-cli-core/azure/cli/core/util.py

Lines 1233 to 1239 in a5198b5

def is_guid(guid):
import uuid
try:
uuid.UUID(guid)
return True
except ValueError:
return False

jiasli
jiasli reviewed Nov 29, 2023
View reviewed changes
src/azure-cli-core/azure/cli/core/auth/identity.py Outdated

# If no login data, look for service principal credential in environment variables
if not self._entries and env_var_auth_configured():
logger.warning("Using service principal credential configured in environment variables.")
Copy link
Member

@jiasli jiasli Nov 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unconditionally showing warnings can breaks pipelines which enables failOnStderr (#18372).

Copy link
Author

@VoxSecundus VoxSecundus Nov 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I'm not sure what you mean. How should I make this warning shown "conditionally"?

Copy link
Member

@jiasli jiasli Nov 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I'm not sure what you mean. How should I make this warning shown "conditionally"?

Well. This warning shouldn't be printed at all, as it doesn't really qualify as a warning.

Copy link
Author

@VoxSecundus VoxSecundus Nov 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood. It's been changed to a logger.debug call.

jiasli
jiasli reviewed Nov 29, 2023
View reviewed changes
src/azure-cli-core/azure/cli/core/auth/identity.py
Comment on lines 313 to 316
# If no login data, look for service principal credential in environment variables
if not self._entries and env_var_auth_configured():
logger.warning("Using service principal credential configured in environment variables.")
self._entries = [load_env_var_credential()]
Copy link
Member

@jiasli jiasli Nov 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

load_entry is designed solely for looking up service principal credentials stored on the hard disk. It may not be an ideal place for loading environment variables.

@jiasli
Copy link
Member

jiasli commented Nov 29, 2023

Thank you very much for the contribution. We understand #10241 is a highly demanded feature.

Actually, I already have a draft work on supporting environment variable credential: https://github.com/jiasli/azure-cli/tree/env-cred, which utilizes the code from #22124.

I will certainly take your PR into consideration while implementing this feature.

@freedge freedge mentioned this pull request Apr 26, 2024
Closed
@tspearconquest
Copy link
Contributor

tspearconquest commented Sep 18, 2024

Any update?

@ringods ringods mentioned this pull request Oct 23, 2024
Open
@pre
Copy link

pre commented Mar 16, 2025

Starting to hold my breath soon!

@jiasli
Copy link
Member

jiasli commented May 26, 2025
edited
Loading

When logged in with az login, any credentials specified as environment variables are ignored.

We should decide which account takes higher priority:

  • The account from az login
  • The account from environment variable

For az config, environment variables take higher priority.

I think it is more reasonable for the account from environment variable to take higher priority, as environment variables are kept in memory, like a temporary session, but the account persisted by az login is long-lasting. Environment variables can even be used with only one command (in Bash):

$ MY_ENV_VAR=TEST_VALUE python3 -c "import os; print(os.environ['MY_ENV_VAR'])"
TEST_VALUE

Letting the account from az login take higher priority makes it impossible to temporarily override it.

@VoxSecundus
Copy link
Author

VoxSecundus commented Jun 24, 2025

@jiasli I'm happy to make that change if you are.

@VoxSecundus VoxSecundus requested a review from bebound as a code owner June 24, 2025 12:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiasli jiasli jiasli left review comments

@evelyn-ys evelyn-ys Awaiting requested review from evelyn-ys evelyn-ys is a code owner

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

@necusjz necusjz Awaiting requested review from necusjz necusjz is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan

@yanzhudd yanzhudd Awaiting requested review from yanzhudd

@bebound bebound Awaiting requested review from bebound bebound is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@jiasli jiasli

@zhoxing-ms zhoxing-ms

@yanzhudd yanzhudd

Labels

Account az login/account ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot Compute az vm/vmss/image/disk/snapshot Core CLI core infrastructure customer-reported Issues that are reported by GitHub users external to the Azure organization. Graph az ad

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

7 participants

@VoxSecundus @yonzhan @jiasli @tspearconquest @pre @zhoxing-ms @yanzhudd