Should be able to use azure-cli credentials from the sdk #2284
Comments
@rektide - I completely agree with you. There is no need to implement your own cred store though. We recently shipped something close to that. Using the new azure CLI you can create a service-principal using the CLI and emit the output in a json file. You can then use Hope that helps. |
My admin hasn't given me ability to create SPs. :( I could save stuff into env vars & use https://github.com/Azure/azure-sdk-for-node/blob/master/Documentation/Authentication.md#basic-authentication but that seems way sub-optimal, as compared to how brilliantly all the AWS SDK's will leverage existing creds that their CLI tool has setup. I usually have a good handle on the programs I run, but it's also a bit dangerous leaving very important credentials in your env, in case some program you run does something bad with them. I'm glad there's some thing some folks can use to ease this process, but for a first time developer I think being able to do |
Yes, I am with you on this. I shall definitely drive this point internally within the team. msRestAzure.interactiveLogin().then((creds) => {
let client = new SomeClient(creds, subscriptionId);
}).catch ((err) => {
console.log(err);
}); This will provide you a code and login url. Copy paste the url and the code in the browser and upon successful login you will get the credentials object in the chained promise-call or callback based on how you call it. Just trying to help you in case there is some urgency on your side. |
Hi, |
Bump for more info or an more exhaustive example of the current loginWithAuthFile. |
Being able to do something similar to .net core would further the developer experience by leaps and bounds: var endpoint = config["KeyVaultEndpoint"];
if (!string.IsNullOrEmpty(endpoint))
{
var tokenProvider = new AzureServiceTokenProvider();
var keyVault = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
tokenProvider.KeyVaultTokenCallback));
builder.AddAzureKeyVault(endpoint, keyVault, new DefaultKeyVaultSecretManager());
} |
@schaabs - Please take a look at this issue. |
Note that the above C# example works both locally when you login with "az login" (as long as you're in a group authorized with the keyvault) as well as with the MSI for a hosted service. |
My understanding is that the Python, Go and C# SDKs all support using the credentials of |
Hello, Thank you for the feedback. We will make the necessary improvements to provide the same experience as python, go and c# sdks. Today you can use something from ms-rest-azure that is close enough. az ad sp create-for-rbac --sdk-auth > ${yourFilename.json} If you have already created the service principal and are logged in as that service principal then az account show --sdk-auth > ${yourFilename.json} Then use this method msRestAzure.loginWithAuthFileAuthResponse() const msRestAzure = require("ms-rest-azure");
const options = {
filePath: "<file path to auth file>",
}
msRestAzure.loginWithAuthFileWithAuthResponse(options).then((authRes) => {
console.log(authRes);
console.log(process.env["AZURE_SUBSCRIPTION_ID"]);
}).catch((err) => {
console.log(err);
}); We know that this is not the same experience that other sdks provide with already authenticated user via CLI, but gets you closer. Important update.We will be deprecating the current You can find more information about deprecation over here. Support for reading credentials from an already authenticated CLI user will also be added for the new JS sdks and not for the current node sdks. I would request all of you to move to the new JS sdks at the earliest. |
Is there somewhere we can track the development progress of this feature? |
@jacob-ebey - This work item has been approved. I shall be working on it right away. Looking at the way this has been implemented in other sdks. Have created a github issue in the azure-sdk-for-js repo If everything goes well, I should have a PR for review in a week. |
Thanks @amarzavery, I look forward to the PR |
@amarzavery, I'm having trouble authenticating with a keyvault using the new API. I believe I am just misunderstanding the usage so I don't want to open a new issue. I currently have the following: import { AzureCliCredentials } from '@azure/ms-rest-nodeauth'
import { KeyVaultClient } from '@azure/keyvault'
async function login() {
const creds = await AzureCliCredentials.create()
try {
const client = new KeyVaultClient(creds)
const secret = await client.getSecret('<MY_KV_URL>', '<MY_KV_SECRET>', '')
} catch (e) {
// e.response.status === 401 at this point (I know I have access with the account as the C# equivilant works)
}
} Suggestions? |
@jacob-ebey - Thanks for reporting this. I have added the capability to change the resource for the desired token. By default the resource(a.k.a tokenAudience) is the Azure Resource Manager. Please take a look at the sample in this commit Azure/ms-rest-nodeauth@85be925#diff-d6fec9ce87ef4907eb76d6586982a6e6R8. Feel free to try it and let me know your experience. |
Thanks @amarzavery, worked like a charm. |
Hello, I'm hoping someone can help me, as I am very lost. I found this issue while trying to figure out how to authenticate for using KeyVault and BlobStorage. Previously, I've worked with the .NET library which transparently allows CLI authentication locally, and MSI authentication when deployed. It seems like that's desired behavior per the issue, but I can't seem to find documentation on how to make it all work. When attempting the new library (@azure/keyvault-secrets), it won't attempt to authenticate using the CLI (and it doesn't look like the docs have that supported), but the ms-rest-nodeauth library allows CLI authentication, but doesn't seem to work with (@azure/keyvault-secrets), and it seems that the old KeyVault library is deprecated. Can someone point me in the right direction? |
The old Keyvault library But, we have recently shipped a preview for @jonathandturner, Please correct me if I got the above wrong, else, please provide a pointer to sample or docs that can speak more on this |
We have new support in preview as part of the When you use the DefaultAzureCredential in this preview, it will pick up the credential from Azure CLI and login automatically. You shouldn't need to do anything extra, just run |
@jonathandturner with the preview, is is possible to set it up so that it can only use Azure CLI credentials? i.e. if you use DefaultAzureCredentials and have not ran az login configure it so it will fail and not fall back on environment variables? |
@aflinchb - not yet, but we're currently looking into extending DefaultAzureCredentials so that it can be configured to do things like that. |
@jonathandturner should this work in c# as well? I struggle to get the azure c# sdk to work with my az cli credentials. I am using Azure.Identity 1.1.1 DefaultAzureCredential but with no luck. Created a question on SO regarding my Problem (https://stackoverflow.com/questions/61868749/azure-sdk-use-cli-creds-or-managed-identity) |
@Console32 - yes, you should be able to use the Azure SDK for .Net and access the |
With the amazon cli tools, after one does
aws configure
, the credentials saved to ~/.aws/config will be sufficient for the AWS SDK to "just work" (in any langauge's SDK!).The Azure SDK for Node.js seems to require apps to implement their own credential store, according to what docs I've found. Instead of requiring yet-another credential storage, apps ought to be able to try to use the credentials saved in ~/.azure (/accessTokens.json?).
Getting some kind of parity with the ease of use of the Amazon SDK would greatly expedite the speed at which developers can get online & using the Azure SDK for Node.js. Please consider implementing this usability enhancement. It will help developers in their 0th hour greatly.
The text was updated successfully, but these errors were encountered: