inletsctl icon indicating copy to clipboard operation
inletsctl copied to clipboard
verified publisher icon inlets

Azure CLI --sdk-auth is getting deprecated

Open d0pare opened this issue 2 years ago • 4 comments

Azure example in this documentation uses --sdk-auth flag to generate credentials. But Microsoft documentation shows that it is deprecated.

Currently, azure cloud provision uses NewEnvironmentCredential that crafts credentials from environment variables previously set from the JSON access token file. A possible alternative is to use ClientSecretCredential and initialize it from the new JSON file that is returned if --sdk-auth is not specified.

New JSON file sample:

{
  "appId": "", // same as client id
  "displayName": "",
  "password": "", // same as client secret
  "tenant": ""
}

d0pare avatar Jan 31 '24 21:01 d0pare

So what do you suggest using instead of passing --sdk-auth to obtain the initial token?

I.e. what replaces?

SUBSCRIPTION_ID="YOUR_SUBSCRIPTION_ID"
az ad sp create-for-rbac --role Contributor --scopes "/subscriptions/$SUBSCRIPTION_ID" --sdk-auth \
  > $HOME/Downloads/client_credentials.json

And is this just a docs change or does code need to change also? I suspect the former?

cc @zechenbit

alexellis avatar Feb 01 '24 10:02 alexellis

There is no alternative to --sdk-auth. The only difference between these flags is the JSON output of the executed command.

JSON with flag

{
  "clientId": "",
  "clientSecret": "",
  "subscriptionId": "",
  "tenantId": "",
  "activeDirectoryEndpointUrl": "",
  "resourceManagerEndpointUrl": "",
  "activeDirectoryGraphResourceId": "",
  "sqlManagementEndpointUrl": "",
  "galleryEndpointUrl": "",
  "managementEndpointUrl": ""
}

JSON without flag

{
  "appId": "",
  "displayName": "",
  "password": "",
  "tenant": ""
}

So, the --sdk-auth should be removed from the command, and the inlets controller should be changed to handle new JSON.

SUBSCRIPTION_ID="YOUR_SUBSCRIPTION_ID"
az ad sp create-for-rbac --role Contributor --scopes "/subscriptions/$SUBSCRIPTION_ID" \
  > $HOME/Downloads/client_credentials.json

d0pare avatar Feb 01 '24 13:02 d0pare

/add label: helpwanted

alexellis avatar Feb 14 '24 11:02 alexellis

Thanks @d0pare for raising this and putting useful information together. I found some related discussions in Azure CLI repository:

  • How the fields are mapping with and without --sdk-auth: https://github.com/Azure/azure-cli/issues/22297
  • https://github.com/Azure/azure-cli/issues/20743

Per their discussion (https://github.com/Azure/azure-cli/issues/21693#issuecomment-1120115472), the --sdk-auth won't be removed in near future. Many tools are still relying on this such as https://github.com/marketplace/actions/azure-login.

If it is just the naming, then maybe we can just change our fileToEnvMap: https://github.com/inlets/cloud-provision/blob/master/provision/azure.go#L35

The NewEnvironmentCredential will eventually call NewClientSecretCredential https://github.com/Azure/azure-sdk-for-go/blob/sdk/azidentity/v1.5.1/sdk/azidentity/environment_credential.go#L80

zechen0 avatar Feb 15 '24 06:02 zechen0