Skip to content

[Feature Request] For managed identity authentication, replace --username with --client-id, --object-id and --resource-id  #29480

Closed
#30525
Closed
[Feature Request] For managed identity authentication, replace --username with --client-id, --object-id and --resource-id #29480
#30525
Assignees
jiasli
Labels
Accountaz login/accountAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamSimilar-IssuequestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
Backlog
@jiasli

Description

@jiasli
jiasli
opened on Jul 26, 2024

Related command
az login --identity

Is your feature request related to a problem? Please describe.
As mentioned in AzureAD/microsoft-authentication-library-for-python#480 (comment), Azure CLI does not surface an "identity ID type" concept, therefore the usage pattern is based on trial-and-error:

azure-cli/src/azure-cli-core/azure/cli/core/_profile.py

Lines 229 to 253 in 235c355

authenticated = False
from azure.cli.core.azclierror import AzureResponseError
try:
msi_creds = MSIAuthenticationWrapper(resource=resource, client_id=identity_id)
identity_type = MsiAccountTypes.user_assigned_client_id
authenticated = True
except AzureResponseError as ex:
if 'http error: 400, reason: Bad Request' in ex.error_msg:
logger.info('Sniff: not an MSI client id')
else:
raise
if not authenticated:
try:
identity_type = MsiAccountTypes.user_assigned_object_id
msi_creds = MSIAuthenticationWrapper(resource=resource, object_id=identity_id)
authenticated = True
except AzureResponseError as ex:
if 'http error: 400, reason: Bad Request' in ex.error_msg:
logger.info('Sniff: not an MSI object id')
else:
raise
if not authenticated:
raise CLIError('Failed to connect to MSI, check your managed service identity id.')

Reusing --username for 3 types of IDs is inefficient and can be confusing to command readers (#29198 (comment)).

Describe the solution you'd like
Replace --username with --client-id, --object-id and --resource-id for managed identity authentication.

Describe alternatives you've considered

Additional context
--service-principal may require similar changes: #29481

Metadata

Metadata

Assignees

Labels

Accountaz login/accountAuto-AssignAuto assign by botAzure CLI TeamThe command of the issue is owned by Azure CLI teamSimilar-IssuequestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions