Skip to content

[Profile] Drop support for old-style managed identity account #30321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jiasli merged 1 commit into from
Nov 20, 2024
Merged

[Profile] Drop support for old-style managed identity account #30321

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 14 additions & 11 deletions src/azure-cli-core/azure/cli/core/_profile.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -377,7 +377,7 @@ def get_login_credentials(self, resource=None, subscription_id=None, aux_subscri

account = self.get_subscription(subscription_id)

managed_identity_type, managed_identity_id = Profile._try_parse_msi_account_name(account)
managed_identity_type, managed_identity_id = Profile._parse_managed_identity_account(account)

if in_cloud_console() and account[_USER_ENTITY].get(_CLOUD_SHELL_ID):
# Cloud Shell
Expand Down Expand Up @@ -436,7 +436,7 @@ def get_raw_token(self, resource=None, scopes=None, subscription=None, tenant=No

account = self.get_subscription(subscription)

managed_identity_type, managed_identity_id = Profile._try_parse_msi_account_name(account)
managed_identity_type, managed_identity_id = Profile._parse_managed_identity_account(account)

if in_cloud_console() and account[_USER_ENTITY].get(_CLOUD_SHELL_ID):
# Cloud Shell
Expand Down Expand Up @@ -642,15 +642,18 @@ def get_subscription_id(self, subscription=None): # take id or name
return self.get_subscription(subscription)[_SUBSCRIPTION_ID]

@staticmethod
def _try_parse_msi_account_name(account):
msi_info, user = account[_USER_ENTITY].get(_ASSIGNED_IDENTITY_INFO), account[_USER_ENTITY].get(_USER_NAME)

if user in [_SYSTEM_ASSIGNED_IDENTITY, _USER_ASSIGNED_IDENTITY]:
if not msi_info:
msi_info = account[_SUBSCRIPTION_NAME] # fall back to old persisting way
parts = msi_info.split('-', 1)
if parts[0] in MsiAccountTypes.valid_msi_account_types():
return parts[0], (None if len(parts) <= 1 else parts[1])
def _parse_managed_identity_account(account):
user_name = account[_USER_ENTITY][_USER_NAME]
Copy link
Member Author

@jiasli jiasli Nov 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

_USER_NAME must exist:

azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

Lines 491 to 494 in 77f14ba

_USER_ENTITY: {
_USER_NAME: user,
_USER_TYPE: _SERVICE_PRINCIPAL if is_service_principal else _USER
},

There is no need to use get().

if user_name == _SYSTEM_ASSIGNED_IDENTITY:
# The account contains:
# "assignedIdentityInfo": "MSI",
# "name": "systemAssignedIdentity",
return MsiAccountTypes.system_assigned, None
if user_name == _USER_ASSIGNED_IDENTITY:
# The account contains:
# "assignedIdentityInfo": "MSIClient-xxx"/"MSIObject-xxx"/"MSIResource-xxx",
# "name": "userAssignedIdentity",
return tuple(account[_USER_ENTITY][_ASSIGNED_IDENTITY_INFO].split('-', maxsplit=1))
Copy link
Member Author

@jiasli jiasli Nov 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If _USER_NAME is _SYSTEM_ASSIGNED_IDENTITY or _USER_ASSIGNED_IDENTITY, _ASSIGNED_IDENTITY_INFO must exist:

azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

Lines 276 to 285 in 77f14ba

user = _USER_ASSIGNED_IDENTITY if identity_id else _SYSTEM_ASSIGNED_IDENTITY
if not subscriptions:
if allow_no_subscriptions:
subscriptions = self._build_tenant_level_accounts([tenant])
else:
raise CLIError('No access was configured for the VM, hence no subscriptions were found. '
"If this is expected, use '--allow-no-subscriptions' to have tenant level access.")
consolidated = self._normalize_properties(user, subscriptions, is_service_principal=True,
user_assigned_identity_id=base_name)

return None, None

def _create_credential(self, account, tenant_id=None, client_id=None):
Expand Down
Loading