[App Config] az appconfig: Fix MSI auth for --auth-mode login parameter
#30983
Conversation
️✔️AzureCLI-FullTest
|
️✔️AzureCLI-BreakingChangeTest
|
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
bot
requested review from
avanigupta,
jsntcy,
yanzhudd,
yonzhan and
zhoxing-ms
microsoft-github-policy-service
bot
added
App Configuration
Auto-Assign
|
AppConfig |
| def test_azconfig_aad_auth(self, resource_group, location): | ||
| aad_store_prefix = get_resource_name_prefix('AADStore') | ||
| config_store_name = self.create_random_name(prefix=aad_store_prefix, length=36) | ||
| config_store_name = self.create_random_name(prefix=aad_store_prefix, length=15) |
There was a problem hiding this comment.
Why are we updating name lengths for test resources in this PR?
There was a problem hiding this comment.
Also, its 15 here and 24 in other places. If this needs to be updated, can we use the same length for all tests?
There was a problem hiding this comment.
We recently split the test into individual files during which we increased the name length to 36 when creating a random name. This however has resulted in some live tests failing as we generated some names that are too long in the case of replicas and keyvault resource. This is being reverted to what they were. In order to avoid delays with merging this fix in, it was included in this PR.
Prior to this change, the length of the store name for this test was 15.
Not sure if there was a reason for this. Would you suggest we change it to 24 for consistency?
There was a problem hiding this comment.
Thanks, yes please change it to 24 for consistency.
There was a problem hiding this comment.
This has been updated, thanks!
|
@zhoxing-ms @yanzhudd , Could you please help merge this fix in? |
yanzhudd
changed the title
az appconfig --auth-mode login: Fix MSI authaz appconfig: Fix MSI auth for --auth-mode login parameter
yanzhudd
changed the title
az appconfig: Fix MSI auth for --auth-mode login parameteraz appconfig: Fix MSI auth for --auth-mode login parameter
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
|
||
| appconfig_credential = AppConfigurationCliCredential(cred, APPCONFIG_AUTH_TOKEN_AUDIENCE) | ||
|
|
||
| self.assertIsInstance(appconfig_credential._impl, MSIAuthenticationWrapper) |
There was a problem hiding this comment.
Command modules should not assume the credential type. It is Azure CLI Core's internal implementation. Azure CLI Core only guarantees get_token is implemented.
This change blocks #31092 as cli_ctx is a mock.MagicMock(), forcing cli_ctx.config.getboolean('core', 'use_msal_managed_identity', fallback=False) to be a MagicMock (True). In this case, a CredentialAdaptor is returned, instead of MSIAuthenticationWrapper.
| mock_cmd = mock.MagicMock() | ||
| profile = Profile(cli_ctx=mock_cmd.cli_ctx) |
There was a problem hiding this comment.
Why is mock.MagicMock() used as cli_ctx? test_azconfig_credential_adaptor_token_override uses DummyCli() which is correct.
6 participants
Related command
az appconfig --auth-mode loginDescription
Related to issue #30945
This change ensures that MSI auth works as expected.
Change was tested on azure VM to ensure authentication succeeds.
Since MI testing is not possible to on local dev devices, mocks were used to enable locally testing the code paths that result in
MSIAuthenticationWrapperbeing returned as the credential used for authentication, and was tested to ensure the expected method was called with the right scopes.Testing Guide
History Notes
[App Config]
az appconfig: Fix MSI auth for--auth-mode loginparameterThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.