Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure CLI --sdk-auth is getting deprecated #129

Open
d0pare opened this issue Jan 31, 2024 · 4 comments
Open

Azure CLI --sdk-auth is getting deprecated #129

d0pare opened this issue Jan 31, 2024 · 4 comments
Labels
helpwanted

Comments

@d0pare
Copy link

d0pare commented Jan 31, 2024

Azure example in this documentation uses --sdk-auth flag to generate credentials. But Microsoft documentation shows that it is deprecated.

Currently, azure cloud provision uses NewEnvironmentCredential that crafts credentials from environment variables previously set from the JSON access token file. A possible alternative is to use ClientSecretCredential and initialize it from the new JSON file that is returned if --sdk-auth is not specified.

New JSON file sample:

{
  "appId": "", // same as client id
  "displayName": "",
  "password": "", // same as client secret
  "tenant": ""
}
@alexellis
Copy link
Member

So what do you suggest using instead of passing --sdk-auth to obtain the initial token?

I.e. what replaces?

SUBSCRIPTION_ID="YOUR_SUBSCRIPTION_ID"
az ad sp create-for-rbac --role Contributor --scopes "/subscriptions/$SUBSCRIPTION_ID" --sdk-auth \
  > $HOME/Downloads/client_credentials.json

And is this just a docs change or does code need to change also? I suspect the former?

cc @zechenbit

@d0pare
Copy link
Author

d0pare commented Feb 1, 2024

There is no alternative to --sdk-auth. The only difference between these flags is the JSON output of the executed command.

JSON with flag

{
  "clientId": "",
  "clientSecret": "",
  "subscriptionId": "",
  "tenantId": "",
  "activeDirectoryEndpointUrl": "",
  "resourceManagerEndpointUrl": "",
  "activeDirectoryGraphResourceId": "",
  "sqlManagementEndpointUrl": "",
  "galleryEndpointUrl": "",
  "managementEndpointUrl": ""
}

JSON without flag

{
  "appId": "",
  "displayName": "",
  "password": "",
  "tenant": ""
}

So, the --sdk-auth should be removed from the command, and the inlets controller should be changed to handle new JSON.

SUBSCRIPTION_ID="YOUR_SUBSCRIPTION_ID"
az ad sp create-for-rbac --role Contributor --scopes "/subscriptions/$SUBSCRIPTION_ID" \
  > $HOME/Downloads/client_credentials.json

@alexellis
Copy link
Member

/add label: helpwanted

@derek derek bot added the helpwanted label Feb 14, 2024
@zechen0
Copy link
Contributor

zechen0 commented Feb 15, 2024

Thanks @d0pare for raising this and putting useful information together. I found some related discussions in Azure CLI repository:

Per their discussion (Azure/azure-cli#21693 (comment)), the --sdk-auth won't be removed in near future. Many tools are still relying on this such as https://github.com/marketplace/actions/azure-login.

If it is just the naming, then maybe we can just change our fileToEnvMap: https://github.com/inlets/cloud-provision/blob/master/provision/azure.go#L35

The NewEnvironmentCredential will eventually call NewClientSecretCredential https://github.com/Azure/azure-sdk-for-go/blob/sdk/azidentity/v1.5.1/sdk/azidentity/environment_credential.go#L80

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
helpwanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zechen0 @d0pare @alexellis