Use --client-id for user-assigned managed identity authentication in Azure CLI v2.69.0 or later.
#514
Conversation
src/Cli/AzureCliLogin.ts
Outdated
|
|
||
| await this.executeAzCliCommand(["version"], true, execOptions); | ||
| core.debug(`Azure CLI version used:\n${output}`); | ||
| this.azVersion = JSON.parse(output)["azure-cli"]; |
There was a problem hiding this comment.
Have you checked all Azure CLI version to see the output format of this? What if JSON.parse throws an exception?
There was a problem hiding this comment.
Azure CLI hasn't changed its JSON output format for over 5 years.
I prefer to use az version to get the Azure CLI version. If JSON.parse throws an exception, it means the user is using an unsupported version of Azure CLI and should be rejected.
@jiasli, do you have any other suggestions for reliably obtaining the Azure CLI version?
There was a problem hiding this comment.
az version is stable. It is safe to use it.
src/Cli/AzureCliLogin.ts
Outdated
|
|
||
| async loginWithUserAssignedIdentity(args: string[]) { | ||
| args.push("--username", this.loginConfig.servicePrincipalId); | ||
| const azcliMinorVersion = parseInt(this.azVersion.split('.')[1], 10); |
There was a problem hiding this comment.
What if parseInt throws an exception? Will it fail the login?
There was a problem hiding this comment.
Not sure how parseInt could throw an exception on azcliMinorVersion. The Azure CLI version always follows the xx.xx.xx format.
There was a problem hiding this comment.
The second version section is always an integer.
| if (azcliMinorVersion < 69) { | ||
| args.push("--username", this.loginConfig.servicePrincipalId); | ||
| } |
There was a problem hiding this comment.
Any schedule on when login action stops supporting Azure CLI < 2.69.0?
There was a problem hiding this comment.
There are currently no plans to change. Telemetry shows that about 30% of users utilize self-hosted runners, which may not always install the latest Azure CLI. Additionally, all managed identity users are using Azure VMs. So I would like to continue supporting login action across different Azure CLI versions, similar to cli action.
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
MoChilia
had a problem deploying
to
Automation test
GitHub Actions
Failure
Azure CLI introduced 3 new arguments
--client-id,--object-idand--resource-idto replace--usernamefor user-assigned managed identity authentication: Azure/azure-cli#30525.Since
azure/loginonly supportsclient-id: https://github.com/marketplace/actions/azure-login#login-with-user-assigned-managed-identity, it should mapclient-idto--client-idinstead of--username.For not introducing breaking changes,
--usernameshould be kept in Azure/login for Azure CLI versions before 2.69.0. But it is only valid in Azure/login@v2, once Azure CLI removes the argument--username, Azure/login@v1 will break for user-assigned managed identity login.The test workflow: https://github.com/Azure/azclitools-actions-test/blob/main/.github/workflows/azure-login-mi-version-test.yml
Workflow result: https://github.com/Azure/azclitools-actions-test/actions/runs/13513290504
Close #506