Remove secrets in PSAzurerRmAccount from display #16449
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
msJinLei
force-pushed
the
secret
branch
3 times, most recently
from
64b7ec6 to
20bd3e9
Compare
msJinLei
changed the title
src/Accounts/Accounts/ChangeLog.md
Outdated
| --> | ||
|
|
||
| ## Upcoming Release | ||
| * Removed `ServicePrincipalSecret` and `CertificatePassword` in Account of Context from display [#15427] |
Member
There was a problem hiding this comment.
from display or we have removed them from Azure Context psobject? I remember it is latter.
Contributor
Author
There was a problem hiding this comment.
There are 2 classes that relate to Account of Context in Az.Accounts, AzureAccount is for internal use and PSAzureRmAccount is for powershell operation. The PR just removes ServicePrincipalSecret and CertificatePassword from PSAzureRmAccount.
Co-authored-by: Dingmeng Xue <dixue@microsoft.com>
dingmeng-xue
approved these changes
Nov 25, 2021
Member
|
/azp run azure-powershell - windows-powershell |
Contributor
|
Azure Pipelines successfully started running 1 pipeline(s). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The PR is to fix #15427
Service principal secret and service principal certificate are required for service principal user to access Azure resources.
Previously PowerShell can access the plain text values of service principal secret and service principal certificate password using
To improve the security, the PR removes the these 2 attributes from
(Get-AzContext).Accounts, whose type isPSAzurerRmAccount.After the change, the context object retrieved by Get-AzContext no longer has ServicePrincipalSecret and CertificatePassword. The cmdlet Set-AzContext, Rename-AzContext accept context object as the input, which brings the risk that the context without ServicePrincipalSecret and CertificatePassword will be added into context list and even be set as current context and then break the current environment.
To solve the issue, the PR also changes the logic when new context object is added to the context list. Firstly find whether there is an existing object with the same account id, tenant and subscription. If found, merge the attributes in the existing one but absent in the new one to the new one and then add the new one to the context list.
Description
Checklist
CONTRIBUTING.mdChangeLog.mdfile(s) has been updated:ChangeLog.mdfile can be found atsrc/{{SERVICE}}/{{SERVICE}}/ChangeLog.md## Upcoming Releaseheader -- no new version header should be added