Skip to content

[Profile] az account get-access-token: Allow specifying --tenant with the current tenant #31869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jiasli merged 1 commit into from
Aug 8, 2025
Merged

[Profile] az account get-access-token: Allow specifying --tenant with the current tenant #31869

jiasli merged 1 commit into from
Aug 8, 2025

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Jul 25, 2025

Related command
az account get-access-token

Description
Resolve Azure/azure-sdk-for-python#41875

#11798 forbids passing --tenant to az account get-access-token.

However, when Key Vault data-plane SDK receives a challenge, it will always pass the tenant_id to AzureCliCredential and az account get-access-token. If the current account is a Cloud Shell or managed identity account, az account get-access-token will fail:

azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

Lines 370 to 373 in bc6c4d9

elif managed_identity_type:
# managed identity
if tenant:
raise CLIError("Tenant shouldn't be specified for managed identity account")

As it is impossible for SDK to know which account type is used by Azure CLI and pass --tenant conditionally, it is better for CLI to allow --tenant with the current tenant.

This PR allows specifying --tenant with the current tenant for Cloud Shell or managed identity account, but still raises error when getting access token for a non-current tenant.

Testing Guide

# Success
az account get-access-token
az account get-access-token --tenant CURRENT_TENANT

# Error
az account get-access-token --tenant 00000000-0000-0000-0000-000000000000

History Notes

[Profile] az account get-access-token: Specifying --tenant with the current tenant is now allowed for Cloud Shell and managed identity account

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jul 25, 2025
edited
Loading

️✔️AzureCLI-FullTest
️✔️acr
️✔️latest
️✔️3.12
️✔️3.9
️✔️acs
️✔️latest
️✔️3.12
️✔️3.9
️✔️advisor
️✔️latest
️✔️3.12
️✔️3.9
️✔️ams
️✔️latest
️✔️3.12
️✔️3.9
️✔️apim
️✔️latest
️✔️3.12
️✔️3.9
️✔️appconfig
️✔️latest
️✔️3.12
️✔️3.9
️✔️appservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️aro
️✔️latest
️✔️3.12
️✔️3.9
️✔️backup
️✔️latest
️✔️3.12
️✔️3.9
️✔️batch
️✔️latest
️✔️3.12
️✔️3.9
️✔️batchai
️✔️latest
️✔️3.12
️✔️3.9
️✔️billing
️✔️latest
️✔️3.12
️✔️3.9
️✔️botservice
️✔️latest
️✔️3.12
️✔️3.9
️✔️cdn
️✔️latest
️✔️3.12
️✔️3.9
️✔️cloud
️✔️latest
️✔️3.12
️✔️3.9
️✔️cognitiveservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️compute_recommender
️✔️latest
️✔️3.12
️✔️3.9
️✔️computefleet
️✔️latest
️✔️3.12
️✔️3.9
️✔️config
️✔️latest
️✔️3.12
️✔️3.9
️✔️configure
️✔️latest
️✔️3.12
️✔️3.9
️✔️consumption
️✔️latest
️✔️3.12
️✔️3.9
️✔️container
️✔️latest
️✔️3.12
️✔️3.9
️✔️containerapp
️✔️latest
️✔️3.12
️✔️3.9
️✔️core
️✔️latest
️✔️3.12
️✔️3.9
️✔️cosmosdb
️✔️latest
️✔️3.12
️✔️3.9
️✔️databoxedge
️✔️latest
️✔️3.12
️✔️3.9
️✔️dls
️✔️latest
️✔️3.12
️✔️3.9
️✔️dms
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventgrid
️✔️latest
️✔️3.12
️✔️3.9
️✔️eventhubs
️✔️latest
️✔️3.12
️✔️3.9
️✔️feedback
️✔️latest
️✔️3.12
️✔️3.9
️✔️find
️✔️latest
️✔️3.12
️✔️3.9
️✔️hdinsight
️✔️latest
️✔️3.12
️✔️3.9
️✔️identity
️✔️latest
️✔️3.12
️✔️3.9
️✔️iot
️✔️latest
️✔️3.12
️✔️3.9
️✔️keyvault
️✔️latest
️✔️3.12
️✔️3.9
️✔️lab
️✔️latest
️✔️3.12
️✔️3.9
️✔️managedservices
️✔️latest
️✔️3.12
️✔️3.9
️✔️maps
️✔️latest
️✔️3.12
️✔️3.9
️✔️marketplaceordering
️✔️latest
️✔️3.12
️✔️3.9
️✔️monitor
️✔️latest
️✔️3.12
️✔️3.9
️✔️mysql
️✔️latest
️✔️3.12
️✔️3.9
️✔️netappfiles
️✔️latest
️✔️3.12
️✔️3.9
️✔️network
️✔️latest
️✔️3.12
️✔️3.9
️✔️policyinsights
️✔️latest
️✔️3.12
️✔️3.9
️✔️privatedns
️✔️latest
️✔️3.12
️✔️3.9
️✔️profile
️✔️latest
️✔️3.12
️✔️3.9
️✔️rdbms
️✔️latest
️✔️3.12
️✔️3.9
️✔️redis
️✔️latest
️✔️3.12
️✔️3.9
️✔️relay
️✔️latest
️✔️3.12
️✔️3.9
️✔️resource
️✔️latest
️✔️3.12
️✔️3.9
️✔️role
️✔️latest
️✔️3.12
️✔️3.9
️✔️search
️✔️latest
️✔️3.12
️✔️3.9
️✔️security
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicebus
️✔️latest
️✔️3.12
️✔️3.9
️✔️serviceconnector
️✔️latest
️✔️3.12
️✔️3.9
️✔️servicefabric
️✔️latest
️✔️3.12
️✔️3.9
️✔️signalr
️✔️latest
️✔️3.12
️✔️3.9
️✔️sql
️✔️latest
️✔️3.12
️✔️3.9
️✔️sqlvm
️✔️latest
️✔️3.12
️✔️3.9
️✔️storage
️✔️latest
️✔️3.12
️✔️3.9
️✔️synapse
️✔️latest
️✔️3.12
️✔️3.9
️✔️telemetry
️✔️latest
️✔️3.12
️✔️3.9
️✔️util
️✔️latest
️✔️3.12
️✔️3.9
️✔️vm
️✔️latest
️✔️3.12
️✔️3.9

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jul 25, 2025

Hi @jiasli,
Since the current milestone time is less than 7 days, this pr will be reviewed in the next milestone.

@azure-client-tools-bot-prd
Copy link

azure-client-tools-bot-prd bot commented Jul 25, 2025
edited
Loading

️✔️AzureCLI-BreakingChangeTest
️✔️Non Breaking Changes

@yonzhan
Copy link
Collaborator

yonzhan commented Jul 25, 2025

Thank you for your contribution! We will review the pull request and get back to you soon.

@github-actions
Copy link

github-actions bot commented Jul 25, 2025

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

@microsoft-github-policy-service microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Jul 25, 2025
@microsoft-github-policy-service microsoft-github-policy-service bot added the ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group label Jul 25, 2025
jiasli
jiasli commented Jul 25, 2025
View reviewed changes
src/azure-cli-core/azure/cli/core/_profile.py
Comment on lines +375 to +376
if tenant and tenant != account[_TENANT_ID]:
raise CLIError(non_current_tenant_template.format('managed identity'))
Copy link
Member Author

@jiasli jiasli Jul 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of raising an error, another possible solution is to ignore the specified tenant and just return the access token for the current tenant, but it will result in wrong access token being returned, making it difficult to troubleshoot. I don't agree with this solution.

@jiasli jiasli marked this pull request as ready for review July 28, 2025 06:48
Copilot AI review requested due to automatic review settings July 28, 2025 06:48
Copilot AI reviewed Jul 28, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR allows specifying --tenant with the current tenant for Cloud Shell and managed identity accounts in the az account get-access-token command. Previously, any tenant specification was forbidden for these account types, but this caused issues when Azure SDK components always pass the tenant ID during authentication challenges.

Key changes:

  • Modified error handling to allow tenant specification when it matches the current account's tenant
  • Updated error messages to be more descriptive about the specific restriction
  • Enhanced test coverage to verify both allowed and disallowed tenant specifications

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/azure-cli-core/azure/cli/core/_profile.py Updated logic to allow current tenant specification and improved error messages
src/azure-cli-core/azure/cli/core/tests/test_profile.py Added test cases for current tenant specification and updated error message assertions

src/azure-cli-core/azure/cli/core/_profile.py
Comment on lines +363 to +364
non_current_tenant_template = ("For {} account, getting access token for non-current tenants is not "
"supported. The specified tenant must be the current tenant "
Copy link

Copilot AI Jul 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The template string construction is unnecessarily complex and hard to read. Consider using a single f-string or format method call instead of concatenating strings and mixing f-string syntax.

Suggested change
non_current_tenant_template = ("For {} account, getting access token for non-current tenants is not "
"supported. The specified tenant must be the current tenant "
non_current_tenant_template = (f"For {{}} account, getting access token for non-current tenants is not "
f"supported. The specified tenant must be the current tenant "

Copilot uses AI. Check for mistakes.
Copy link
Member Author

@jiasli jiasli Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment is incorrect. Prefixing the substring with f is unnecessary.

src/azure-cli-core/azure/cli/core/_profile.py

non_current_tenant_template = ("For {} account, getting access token for non-current tenants is not "
"supported. The specified tenant must be the current tenant "
f"{account[_TENANT_ID]}")
Copy link

Copilot AI Jul 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The f-string formatting here is redundant since you're just converting a variable to string. You can directly use {account[_TENANT_ID]} in the format method call.

Suggested change
f"{account[_TENANT_ID]}")
"{}").format(account[_TENANT_ID])

Copilot uses AI. Check for mistakes.
Copy link
Member Author

@jiasli jiasli Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This copilot comment is incorrect. f-string is preferred in this case.

@jiasli jiasli merged commit 91236a1 into Azure:dev Aug 8, 2025
56 checks passed
@jiasli jiasli deleted the get-access-token-tenant branch August 8, 2025 07:14
@jiasli jiasli assigned jiasli and unassigned zhoxing-ms Dec 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bebound bebound bebound approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

@yonzhan yonzhan Awaiting requested review from yonzhan

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@calvinhzy calvinhzy Awaiting requested review from calvinhzy calvinhzy is a code owner

@necusjz necusjz Awaiting requested review from necusjz necusjz is a code owner

Assignees

@jiasli jiasli

Labels

ARM az resource/group/lock/tag/deployment/policy/managementapp/account management-group Auto-Assign Auto assign by bot

Projects

None yet

Milestone

September 2025 (2025-09-02)

Development

Successfully merging this pull request may close these issues.

Keyvault with AzureCliCredential fails from AML Compute

5 participants

@jiasli @yonzhan @bebound @evelyn-ys @zhoxing-ms