Azure/azure-cli

Add more non-interactive authentication modes

Open

#7,594 opened on Oct 17, 2018

View on GitHub
 (3 comments) (0 reactions) (0 assignees)Python (3,786 stars) (2,854 forks)batch import
Accountact-identity-squadfeature-requesthelp wanted

Description

Is your feature request related to a problem? Please describe. I am frustrated when trying to run Azure CLI from PowerShell silently.

az login currently supports these non-interactive authentication modes:

  • login with user credentials
  • login with SP credentials
  • login with SP certificate file (PEM only)
  • login with system managed identity
  • login with user assigned managed identity

I would like to see some more that are mostly applicable to Windows environments.

Describe the solution you'd like

  • login with SP certificate coming from a certificate store (Windows only)
  • login with an existing access token obtained for the appropriate audience, such as piping Azure PowerShell access token into Azure CLI.
  • single sign-on with Windows identity from a domain environment connected to an AAD tenant with ADFS

I don't want to provide any credentials (user credentials or SP ID / Key) via CLI to login silently, because it's the least secure option. However, it's fine if I can't use single sign on if I am stopped by MFA.

Describe alternatives you've considered We are now trialing login with user assigned managed identity case with preview managed identities.

Additional context I am trying to call az acr build and az acr repository commands from PowerShell, because Azure PowerShell set of ACR commands is lacking.

Contributor guide

Tech stack
python
Domain
authenticationclicloud
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
needs investigation
Prerequisites
Azure CLI codebaseAzure AD authenticationCertificate store integration
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
25
Research direction
Explore the Azure CLI authentication implementation in the 'azure cli core' package, specifically files like 'auth.py' and 'custom.py' in the profile module. Review the existing non interactive authentication modes to understand the architecture. Investigate the Azure SDK for Python documentation on certificate authentication and token based authentication. Check the thread for any maintainer responses or additional feature requests.