Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

get_access_token_from_cli should be able to use cached service principal tokens #31

Open
nickraptis opened this issue May 16, 2018 · 4 comments
Open

get_access_token_from_cli should be able to use cached service principal tokens #31

nickraptis opened this issue May 16, 2018 · 4 comments

Comments

@nickraptis
Copy link

I have a setup where azure-cli logs in as a service principal and would like to use the get_access_token_from_cli functionality.
The cached tokens file looks like this:

~/.azure/accessToken.json
[{ "servicePrincipalId": "xxxxxxxxxxxxxxxxxxxxxxxx", "servicePrincipalTenant": "xxxxxxxxxxxxxxxxxxxxx", "accessToken": "xxxxxxxxxxxxxxxxxxxxx" }]

Resulting in this error:

  File "site-packages/azurerm/adalfns.py", line 64, in get_access_token_from_cli
   if key['userId'] == sub_username:
KeyError: 'userId'

I've also seen setups where the cached tokens are both user and service principal ones.

Should be easy to be able to retrieve both kinds of tokens from the cache file.

PS: This is something I'll probably work on anyway. Opening this issue mostly to judge interest for a PR.
@gbowerman
Copy link
Owner

Thanks @nickraptis. When you have a service principal, why don't you call get_access_token()? Is it to make the Python code more portable? E.g. re-use the same code in any CLI environment without needing any additional config files? That makes sense. Please go ahead a submit a PR for this.

@nickraptis
Copy link
Author

@gbowerman Our use case is that we are using azurerm alongside azure-cli in a cicd pipeline.
azure-cli is already logged in as a principal, so we didn't want to lug the principal credentials around if we didn't needed to.

I had overlooked the documentation's suggestion to use az account get-access-token.
This did take some work to update to a version offering it, but ended up being the right choice, so I don't think an enhancement is needed after all.
Other than considering catching the mentioned Exception, or more prominence in the documentation, I'm happy with closing the issue :)

@gbowerman
Copy link
Owner

@nickraptis thanks the use case makes sense. I'll leave this open in case anyone wants to take on implementing it, or catching the exception and returning a meaningful message.

@gbowerman
Copy link
Owner

BTW a recent change improved get_access_token_from_cli() so it works in Azure cloud shell (getting token from MSI endpoint). May not be useful in your case, but adding it to this issue as an FYI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nickraptis @gbowerman