Skip to content

[Profile] Drop support for old-style managed identity account #30321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiasli merged 1 commit into from
Nov 20, 2024
Merged

[Profile] Drop support for old-style managed identity account #30321

jiasli merged 1 commit into from
Nov 20, 2024

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Nov 12, 2024
edited
Loading

Related command
az login

Description
This PR is separated from #25959 (comment)

In versions <= 2.0.50 (released on November 6, 2018), _SUBSCRIPTION_NAME is used to denote the managed identity ID info (_ASSIGNED_IDENTITY_INFO). This is a bad design, as an Azure subscription has its own name. So, _ASSIGNED_IDENTITY_INFO was added in #7744 to give way to the real subscription name and _try_parse_msi_account_name() acts as an adaptor. However, such logic is difficult to maintain. Even its creator admits:

the code is a bit messy here to support both old and new styles.
#7744 (comment)

As it has been 6 years since 2.0.50, and Azure CLI is self-consistent, this should not be considered a breaking change.

Testing Guide

az login --identity
az group list
az account get-access-token

az login --identity --username <client_id/object_id/resource_id>
az group list
az account get-access-token

History Notes

[Profile] Drop support for old-style managed identity account created by Azure CLI <= 2.0.50. If you upgrade from one of these versions, please run az login --identity again.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Nov 12, 2024
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️acs
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.9
️✔️ams
️✔️latest
️✔️3.12
️✔️3.9
️✔️apim
️✔️latest
️✔️3.12
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️aro
️✔️latest
️✔️3.12
️✔️3.9
️✔️backup
️✔️latest
️✔️3.12
️✔️3.9
️✔️batch
️✔️latest
️✔️3.12
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.9
️✔️billing
️✔️latest
️✔️3.12
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.9
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.9
️✔️config
️✔️latest
️✔️3.12
️✔️3.9
️✔️configure
️✔️latest
️✔️3.12
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.9
️✔️container
️✔️latest
️✔️3.12
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.9
️✔️core
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.9
️✔️databoxedge
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️dls
️✔️latest
️✔️3.12
️✔️3.9
️✔️dms
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.9
️✔️find
️✔️latest
️✔️3.12
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.9
️✔️identity
️✔️latest
️✔️3.12
️✔️3.9
️✔️iot
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️keyvault
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️lab
️✔️latest
️✔️3.12
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️maps
️✔️latest
️✔️3.12
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.9
️✔️network
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.9
️✔️profile
️✔️latest
️✔️3.12
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.9
️✔️redis
️✔️latest
️✔️3.12
️✔️3.9
️✔️relay
️✔️latest
️✔️3.12
️✔️3.9
️✔️resource
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️role
️✔️latest
️✔️3.12
️✔️3.9
️✔️search
️✔️latest
️✔️3.12
️✔️3.9
️✔️security
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.9
️✔️sql
️✔️latest
️✔️3.12
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.9
️✔️storage
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.9
️✔️telemetry
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9
️✔️util
️✔️latest
️✔️3.12
️✔️3.9
️✔️vm
️✔️2018-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2019-03-01-hybrid
️✔️3.12
️✔️3.9
️✔️2020-09-01-hybrid
️✔️3.12
️✔️3.9
️✔️latest
️✔️3.12
️✔️3.9

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Nov 12, 2024
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Collaborator

yonzhan commented Nov 12, 2024

Thank you for your contribution! We will review the pull request and get back to you soon.

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Nov 12, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group label Nov 12, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Account az login/account label Nov 12, 2024
@jiasli
Copy link
Member Author

jiasli commented Nov 13, 2024

CI failed:

https://dev.azure.com/azclitools/public/_build/results?buildId=205660&view=logs&jobId=a8943ac2-38d7-5792-f2a7-5f4fd06db24e&j=a8943ac2-38d7-5792-f2a7-5f4fd06db24e&t=3ed51913-4dd7-564f-a8d8-fda07de13946

[Profile] Drop support for old-style managed identity account created by Azure CLI <= 2.0.50. If you upgrade from one of these versions, please run `az login --identity` again.
: missing ` around --identity`
                                                                                                                                                              ↑         ↑

I don't think this detection is correct.

@jiasli
Copy link
Member Author

jiasli commented Nov 13, 2024

I am temporarily altering the history notes to bypass the incorrect detection logic.

After the PR is merged, I will change it back:

[Profile] Drop support for old-style managed identity account created by Azure CLI <= 2.0.50. If you upgrade from one of these versions, please run az login --identity again.

jiasli
jiasli commented Nov 14, 2024
View reviewed changes
src/azure-cli-core/azure/cli/core/_profile.py
if parts[0] in MsiAccountTypes.valid_msi_account_types():
return parts[0], (None if len(parts) <= 1 else parts[1])
def _parse_managed_identity_account(account):
user_name = account[_USER_ENTITY][_USER_NAME]
Copy link
Member Author

@jiasli jiasli Nov 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

_USER_NAME must exist:

azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

Lines 491 to 494 in 77f14ba

_USER_ENTITY: {
_USER_NAME: user,
_USER_TYPE: _SERVICE_PRINCIPAL if is_service_principal else _USER
},

There is no need to use get().

jiasli
jiasli commented Nov 14, 2024
View reviewed changes
src/azure-cli-core/azure/cli/core/_profile.py
# The account contains:
# "assignedIdentityInfo": "MSIClient-xxx"/"MSIObject-xxx"/"MSIResource-xxx",
# "name": "userAssignedIdentity",
return tuple(account[_USER_ENTITY][_ASSIGNED_IDENTITY_INFO].split('-', maxsplit=1))
Copy link
Member Author

@jiasli jiasli Nov 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If _USER_NAME is _SYSTEM_ASSIGNED_IDENTITY or _USER_ASSIGNED_IDENTITY, _ASSIGNED_IDENTITY_INFO must exist:

azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

Lines 276 to 285 in 77f14ba

user = _USER_ASSIGNED_IDENTITY if identity_id else _SYSTEM_ASSIGNED_IDENTITY
if not subscriptions:
if allow_no_subscriptions:
subscriptions = self._build_tenant_level_accounts([tenant])
else:
raise CLIError('No access was configured for the VM, hence no subscriptions were found. '
"If this is expected, use '--allow-no-subscriptions' to have tenant level access.")
consolidated = self._normalize_properties(user, subscriptions, is_service_principal=True,
user_assigned_identity_id=base_name)

@jiasli jiasli marked this pull request as ready for review November 20, 2024 03:25
jiasli
jiasli commented Nov 20, 2024
View reviewed changes
src/azure-cli-core/azure/cli/core/tests/test_profile.py
test_subscription_id = '12345678-1bf0-4dda-aec3-cb9272f09590'
test_tenant_id = '12345678-38d6-4fb2-bad9-b7b93a3e1234'
test_user = 'systemAssignedIdentity'
msi_subscription = SubscriptionStub('/subscriptions/' + test_subscription_id, 'MSI', self.state1, test_tenant_id)
Copy link
Member Author

@jiasli jiasli Nov 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test cases still use subscription name to store the managed identity info.

@jiasli jiasli merged commit 14084ad into Azure:dev Nov 20, 2024
52 checks passed
@jiasli jiasli deleted the mi-account branch November 20, 2024 12:07
yanzhudd pushed a commit to yanzhudd/azure-cli that referenced this pull request Nov 25, 2024
@jiasli @yanzhudd
[Profile] Drop support for old-style managed identity account (Azure#…
2a7f6e2 
…30321)
@yonzhan yonzhan removed this from the December 2024 (2024-12-10) milestone Nov 28, 2024
@yonzhan yonzhan added this to the January 2025 (2025-01-14) milestone Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bebound bebound bebound approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@necusjz necusjz Awaiting requested review from necusjz necusjz is a code owner

Assignees

@jiasli jiasli

@zhoxing-ms zhoxing-ms

Labels

Account az login/account ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot

Projects

None yet

Milestone

January 2025 (2025-01-14)

Development

Successfully merging this pull request may close these issues.

5 participants

@jiasli @yonzhan @bebound @evelyn-ys @zhoxing-ms