Skip to content

{Microsoft Entra ID} az ad sp create-for-rbac: Update examples and warnings #30277

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jiasli merged 1 commit into from
Nov 12, 2024
Merged

{Microsoft Entra ID} az ad sp create-for-rbac: Update examples and warnings #30277

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 21 additions & 12 deletions src/azure-cli/azure/cli/command_modules/role/_help.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -528,18 +528,27 @@
You may also use `az role assignment create` to create role assignments for this service principal later.
See [steps to add a role assignment](https://aka.ms/azadsp-more) for more information.
examples:
- name: Create without role assignment.
text: az ad sp create-for-rbac
- name: Create using a custom display name.
text: az ad sp create-for-rbac -n MyApp
- name: Create with a Contributor role assignments on specified scopes. To retrieve current subscription ID, run `az account show --query id --output tsv`.
text: az ad sp create-for-rbac -n MyApp --role Contributor --scopes /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup2
- name: Create using a self-signed certificate.
text: az ad sp create-for-rbac --create-cert
- name: Create using a self-signed certificate, and store it within KeyVault.
text: az ad sp create-for-rbac --keyvault MyVault --cert CertName --create-cert
- name: Create using existing certificate in KeyVault.
text: az ad sp create-for-rbac --keyvault MyVault --cert CertName
- name: Create without role assignment.
Copy link
Contributor

@bebound bebound Nov 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Although it does not affect the help message, the two-space indent is missing here.

Copy link
Member Author

@jiasli jiasli Nov 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On the contrary, the two-space indent is unnecessary. See the YAML spec:

https://yaml.org/spec/1.2.2/#21-collections

american:
- Boston Red Sox
- Detroit Tigers
- New York Yankees
national:
- New York Mets
- Chicago Cubs
- Atlanta Braves

Copy link
Contributor

@bebound bebound Nov 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

YAML does not have a strict indent rule; my formatter uses 2 spaces.

In YAML block styles, structure is determined by indentation. In general, indentation is defined as a zero or more space characters at the start of a line. -- https://yaml.org/spec/1.2-old/spec.html#id2777534

PS: The indentation at https://yaml.org/ is inconsistent.
image

image

text: az ad sp create-for-rbac
- name: Create using a custom display name.
text: az ad sp create-for-rbac -n MyApp
- name: Create with a Contributor role assignments on specified scopes. To retrieve current subscription ID, run `az account show --query id --output tsv`.
text: az ad sp create-for-rbac -n MyApp --role Contributor --scopes /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup1 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/resourceGroup2
- name: Create using a self-signed certificate.
text: az ad sp create-for-rbac --create-cert
- name: Create using an existing certificate string.
text: az ad sp create-for-rbac --cert "MIICoT..."
- name: Create using an existing certificate file.
text: |-
az ad sp create-for-rbac --cert "@~/cert.pem"
`cert.pem` contains the following content
-----BEGIN CERTIFICATE----- <<< this line is optional
MIICoT...
-----END CERTIFICATE----- <<< this line is optional
Comment on lines +539 to +547
Copy link
Member Author

@jiasli jiasli Nov 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These examples are similar to

azure-cli/src/azure-cli/azure/cli/command_modules/role/_help.py

Lines 127 to 135 in 031de0d

- name: Append a certificate to the application with the certificate string.
text: az ad app credential reset --id 00000000-0000-0000-0000-000000000000 --cert "MIICoT..." --append
- name: Append a certificate to the application with the certificate file.
text: |-
az ad app credential reset --id 00000000-0000-0000-0000-000000000000 --cert "@~/cert.pem" --append
`cert.pem` contains the following content
-----BEGIN CERTIFICATE----- <<< this line is optional
MIICoT...
-----END CERTIFICATE----- <<< this line is optional

azure-cli/src/azure-cli/azure/cli/command_modules/role/_help.py

Lines 594 to 602 in 031de0d

- name: Append a certificate to the service principal with the certificate string.
text: az ad sp credential reset --id 00000000-0000-0000-0000-000000000000 --cert "MIICoT..." --append
- name: Append a certificate to the service principal with the certificate file.
text: |-
az ad sp credential reset --id 00000000-0000-0000-0000-000000000000 --cert "@~/cert.pem" --append
`cert.pem` contains the following content
-----BEGIN CERTIFICATE----- <<< this line is optional
MIICoT...
-----END CERTIFICATE----- <<< this line is optional

- name: Create using a self-signed certificate, and store it within Azure Key Vault.
text: az ad sp create-for-rbac --keyvault MyVault --cert CertName --create-cert
- name: Create using existing certificate in Azure Key Vault.
text: az ad sp create-for-rbac --keyvault MyVault --cert CertName
Comment on lines +548 to +551
Copy link
Member Author

@jiasli jiasli Nov 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The official name should be "Azure Key Vault", not "KeyVault": https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-cli

"""

helps['ad sp credential'] = """
Expand Down
2 changes: 1 addition & 1 deletion src/azure-cli/azure/cli/command_modules/role/_params.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,7 @@ def load_arguments(self, _):
c.argument('cert', arg_group='keyCredential', validator=validate_cert,
help='Certificate to use for credentials. When used with `--keyvault,`, indicates the name of the '
'cert to use or create. Otherwise, supply a PEM or DER formatted public certificate string. '
'Use `@{path}` to load from a file. Do not include private key info.')
'Use `@{path}` to load from a file. Do not include the private key.')
c.argument('create_cert', arg_group='keyCredential', action='store_true',
help='Create a self-signed certificate to use for the credential. Only the current OS user has '
'read/write permission to this certificate. Use with `--keyvault` to create the certificate in '
Expand Down
8 changes: 2 additions & 6 deletions src/azure-cli/azure/cli/command_modules/role/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1302,14 +1302,10 @@ def create_service_principal_for_rbac(
}
if cert_file:
logger.warning(
"Please copy %s to a safe place. When you run 'az login', provide the file path in the --password argument",
"Please copy %s to a safe place. When you run `az login`, provide the file path in the --certificate "
Copy link
Member Author

@jiasli jiasli Nov 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed according to #30091.

"argument",
cert_file)
result['fileWithCertAndPrivateKey'] = cert_file

login_hint = ('To log in with this service principal, run:\n'
f'az login --service-principal --username {app_id} --password {password or cert_file} '
f'--tenant {graph_client.tenant}')
logger.info(login_hint)
Comment on lines -1308 to -1312
Copy link
Member Author

@jiasli jiasli Nov 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This hint is removed to avoid users' potential incorrect handling of the log.

return result


Expand Down