Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Have az account list/show contain the object id of the user or principle #9506

Open
zippy1981 opened this issue May 29, 2019 · 3 comments

Comments

@zippy1981
Copy link

commented May 29, 2019

Is your feature request related to a problem? Please describe.

My ultimate goal is to use the Azure CLI to get the object id of user that I am logged into the Azure CLI with to set an environment variable which terraform will use to give itself permission to create certificates in the azure key vault it is creating.

Describe the solution you'd like
Ideally I'd like az account show to have an additional field in the user object e.g:

{
  "environmentName": "AzureCloud",
  "id": "XXXXXXXX",
  "isDefault": true,
  "name": "Pay-As-You-Go",
  "state": "Enabled",
  "tenantId": "XXXXXXX",
  "user": {
    "object_id": "8fdc6358-0cde-45cd-b1b1-3ca7eb733a93",
    "name": "zippy1981@mydomain",
    "type": "user"
  }
}

Therefore I could issue the command $env:TF_VAR_certificate_creator = $(az account show --query 'user.object_id' -otsv)

And it would put the right object id in m terraform file like so:

resource "azurerm_key_vault" "always_encrypted_sample" {
  # . . . . . . . SNIP . . . . . .
  access_policy {
    tenant_id = "${data.azurerm_client_config.current.tenant_id}"
    object_id = "${var.certificate_creator}"

    certificate_permissions = [
      "create", "get" # Terraform needs get to make the cert, probably to check its existance
    ]
  }

Describe alternatives you've considered

The following would also work:

  • az ad user show could default to the currently logged in user if using user auth as opposed to service principle auth.
  • If az account get-access-token had a parameter to output the decoded JWT token that I could query with --query I could read the oid property.
  • If az account show listed the upn as opposed to the object id, I could get this info on to command lines

Additional context

@adewaleo adewaleo added this to Triage in Interactive End User Experience via automation May 29, 2019

@Arnavion

This comment has been minimized.

Copy link

commented Jun 1, 2019

Doesn't az ad signed-in-user show --query objectId --output tsv do what you want?

@zippy1981

This comment has been minimized.

Copy link
Author

commented Jun 1, 2019

@Arnavion Why yes that will work. I didn't see that.

@zippy1981 zippy1981 closed this Jun 1, 2019

Interactive End User Experience automation moved this from Triage to Done Jun 1, 2019

@zippy1981 zippy1981 reopened this Jun 1, 2019

Interactive End User Experience automation moved this from Done to Scheduled for Work Jun 1, 2019

@zippy1981

This comment has been minimized.

Copy link
Author

commented Jun 1, 2019

Reopening, because, which that does solve my particular issue, the object id or upn of the user seems more important than the display name for in the account list/show output.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
You can’t perform that action at this time.