Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] AzureCliCrededentials json format changed #1329

Open
3 tasks done
riezebosch opened this issue Aug 30, 2022 · 5 comments
Open
3 tasks done

[BUG] AzureCliCrededentials json format changed #1329

riezebosch opened this issue Aug 30, 2022 · 5 comments

Comments

@riezebosch
Copy link

Describe the bug
A clear and concise description of what the bug is.

The format of the json files that are used by azure-cli to store the access tokens has changed. Therefore the AzureCliCredentials fails to parse the tokens that are used for logging in using a service principal.

$ az --version
azure-cli                         2.39.0

core                              2.39.0
telemetry                          1.0.6 *

Dependencies:
msal                            1.18.0b1
azure-mgmt-resource             21.1.0b1

Python location '/opt/homebrew/Cellar/azure-cli/2.39.0/libexec/bin/python'
Extensions directory '/Users/mriezebosch/.azure/cliextensions'

Python (Darwin) 3.10.6 (main, Aug 11 2022, 13:36:31) [Clang 13.1.6 (clang-1316.0.21.2.5)]

Legal docs and information: aka.ms/AzureCliLegal

Old format & location:

cat ~/.azure/accessTokens.json 
[
    {
        "servicePrincipalTenant": "** GUID **",
        "servicePrincipalId": "** GUID **",
        "accessToken": "** TOKEN **"
    }
]

New format & location:

cat ~/.azure/service_principal_entries.json 
[
    {
        "tenant": "** GUID **,
        "client_id": "** GUID **",
        "client_secret": "** TOKEN **"
    }
]#

Exception or Stack Trace
Add the exception log and stack trace if available

To Reproduce
Steps to reproduce the behavior:

  1. Upgrade azure-cli
  2. az logout (to clear the ~/.azure folder)
  3. az login --service-principal -u '** GUID **' -p '** TOKEN **' --tenant '** GUID **'
  4. Use AzureCliCredentials.Create()

Code Snippet
Add the code snippet that causes the issue.

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Setup (please complete the following information):

  • OS: [e.g. iOS]
  • IDE : [e.g. IntelliJ]
  • Version of the Library used

Microsoft.Azure.Management.Fluent@1.38.1

Additional context
Add any other context about the problem here.
https://github.com/Azure/azure-libraries-for-net/blob/master/src/ResourceManagement/ResourceManager/Authentication/AzureCliCredentials.cs#L45

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added
@weidongxu-microsoft
Copy link
Member

new CLI should be on MSAL, but this lib stays at ADAL.

The lib is in maintenance mode, and to be deprecated.

Please plan switch to https://aka.ms/azsdk/dotnet/mgmt

@riezebosch
Copy link
Author

For this particular issue I don't think it is ADAL/MSAL related. The AzureCliCredentials class just uses the credentials cached by azure-cli. I've seen the new SDK using the cli directly for that, and this lib has its built-in parser.

@rvdginste
Copy link

@riezebosch

I had an issue with the AzureCliCredentials and wanted to check the source code. I looked at the implementation here and thought I'd bumped into the unsupported old json issue, but I was actually using the newer library Azure.Identity. The implementation in here (old) directly reads the json file, but the implementation in Azure.Identity directly calls the Azure cli and does not have the issue.

See https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/src/Credentials/AzureCliCredential.cs

@weidongxu-microsoft
Copy link
Member

weidongxu-microsoft commented Sep 13, 2022
edited
Loading

Azure.Identity should work fine (unless there is bug).

Yes, the current solution would be call CLI and let it fetch the result. However, I am not sure whether it works same, if CLI is an old version (before they've moved to MSAL).

@riezebosch

As mentioned by @rvdginste, the JSON format changed (or even file location). Whether it is ADAL/MSAL is now internal to CLI.
But as said, this lib is likely to be deprecated soon, and we are not adding new features.

@riezebosch
Copy link
Author

I understand, but now people depending on this library find their software being in an unusable state since it no longer works with an updated azure-cli.

It is possible to combine the credentials provided byAzure.Identity with this library?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rvdginste @riezebosch @weidongxu-microsoft