azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard
verified publisher icon Azure

azure cli login --accesstoken

Open btrepp opened this issue 1 year ago • 3 comments

Related command

az login / az account get-access-token

Is your feature request related to a problem? Please describe.

Currently you can get an access token, this even works great with say Azure Powershell scripts, which support an access token flag for logging in there, however there is no way for azure cli to work with the access token it generates

Describe the solution you'd like

Ideally I would like to be able to generate an access token, then pass that down to say a docker container or other script, so that it can use the token (potentially even with a less restricted scope) most likely in a docker container.

Such that the first line in the 'container' could be

az login --accesstoken $AZURE_CLI_TOKEN

so that further azure cli commands can be ran.

Describe alternatives you've considered

People seem to volume mount the hosts .azure folder, however this seems to cause issues across operating systems, and seems pretty brute force (full login context).

The other option seems to create a full on service principal to run the script, which is pretty crazy as you just want to run as 'the user'.

Other alternatives would be allowing this to be read from an environment variable, like other tools seem to do (and like it appears this token is expected to be used for)

The last alternative is not using azure-cli, and using the azure powershell scripts, after using the cli to generate a token. This feels a bit awkward as the cli is quite nice.

Additional context

btrepp avatar Feb 29 '24 03:02 btrepp

Thank you for opening this issue, we will look into it.

yonzhan avatar Feb 29 '24 03:02 yonzhan

It would be quite useful in our environment!

DanielHRio avatar Mar 07 '24 05:03 DanielHRio

any updates on this feature request?

vinli-cn avatar May 10 '24 06:05 vinli-cn

The lack of this capability is forcing us attempt some really hacky things to get az cli login working with access tokens.

jim-mclean avatar May 15 '24 11:05 jim-mclean

I'm also facing this issue (even more in fact). I'm in an environment where device compliance is required to be able to authenticate to Azure. Because I'm running container on WSL, the only option that I have today is to mount the .Azure folder from the Windows/WSL where the state of the device is working and use it from my container. The problem is that since several az versions now, the MSAL local cache is encrypted with DPAPI Windows API. In other words, I simply can't read my MSAL cache from my container. So yes, using a token can be helpful but adding a possibility to allow a non encrypted cache flag can be useful as well. MSAL allow this even on Windows why not encrypt by default the token serialization cache and propose a flag to make the local cache not encrypted?

SCOMnewbie avatar Jun 17 '24 19:06 SCOMnewbie

Duplicate of #16459. Please vote on #16459 instead.

jiasli avatar Jun 18 '24 01:06 jiasli

@SCOMnewbie, I provided more info on your question in https://github.com/Azure/azure-cli/issues/29193.

jiasli avatar Jun 18 '24 01:06 jiasli