Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

{Core} Fix: In Cloud Shell, cross-tenant authentication fails for user or Service Principal account #17805

Merged
merged 2 commits into from
Apr 22, 2021
Merged

{Core} Fix: In Cloud Shell, cross-tenant authentication fails for user or Service Principal account #17805

merged 2 commits into from
Apr 22, 2021

Conversation

jiasli
Copy link
Member

@jiasli jiasli commented Apr 21, 2021

Description

In Cloud Shell, even if az login is run with user or Service Principal account, subsequent commands involving cross-tenant authentication fails:

$ az network vnet peering create --name myVnetAToMyVnetB --resource-group myResourceGroupA --vnet-name myVnetA --remote-vnet /subscriptions/414af076-009b-4282-9a0a-acf75bcb037e/resourceGroups/myResourceGroupB/providers/Microsoft.Network/VirtualNetworks/myVnetB --allow-vnet-access
Cross-tenant authentication is not supported by managed identity and Cloud Shell. Please run `az login` with 
a user account or a service principal.

Cause

This bug was introduced by #16797 where only in_cloud_console() is checked:

azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

Lines 564 to 566 in 039fa21

if external_tenants_info and (identity_type or in_cloud_console()):
raise CLIError("Cross-tenant authentication is not supported by managed identity and Cloud Shell. "
"Please run `az login` with a user account or a service principal.")

In fact, _CLOUD_SHELL_ID (cloudShellID) should also be checked so that the error is only raised for Cloud Shell's Managed Identity account, instead of user or Service Principal account.

Testing guide

In Cloud Shell, run

az login
# Replace `414af076-009b-4282-9a0a-acf75bcb037e` with your own subscription ID in another tenant
az network vnet peering create --name myVnetAToMyVnetB --resource-group myResourceGroupA --vnet-name myVnetA --remote-vnet /subscriptions/414af076-009b-4282-9a0a-acf75bcb037e/resourceGroups/myResourceGroupB/providers/Microsoft.Network/VirtualNetworks/myVnetB --allow-vnet-access

@jiasli jiasli requested a review from evelyn-ys as a code owner April 21, 2021 07:27
@jiasli jiasli requested a review from yonzhan April 21, 2021 07:27
@yonzhan yonzhan added this to the S186 milestone Apr 21, 2021
@yonzhan
Copy link
Collaborator

yonzhan commented Apr 21, 2021

Core

yonzhan
yonzhan approved these changes Apr 22, 2021
View reviewed changes
Copy link
Collaborator

@yonzhan yonzhan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jiasli jiasli merged commit 902b942 into Azure:dev Apr 22, 2021
@jiasli jiasli deleted the cross-tenant branch April 22, 2021 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yonzhan yonzhan yonzhan approved these changes

@evelyn-ys evelyn-ys evelyn-ys approved these changes

Assignees

@jiasli jiasli

Labels
None yet
Projects
None yet
Milestone
S186
Development

Successfully merging this pull request may close these issues.
3 participants
@jiasli @yonzhan @evelyn-ys