Fix ansible can use azure-cli credentials #31871
Conversation
| - For authentication with Azure you can pass parameters, set environment variables or use a profile stored | ||
| in ~/.azure/credentials. Authentication is possible using a service principal or Active Directory user. | ||
| - For authentication with Azure you can pass parameters, set environment variables, use a profile stored | ||
| in ~/.azure/credentials or login your AzureCLI. |
There was a problem hiding this comment.
"login your Azure CLI" -> "login with Azure CLI"
| @@ -82,4 +83,5 @@ class ModuleDocFragment(object): | |||
| a [default] section and the following keys: subscription_id, client_id, secret and tenant or | |||
| subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile | |||
| by passing profile or setting AZURE_PROFILE in the environment." | |||
| - Use 'az login' to login your AzureCLI. | |||
| elif self.credentials.get('credentials') is not None: | ||
| self.azure_credentials = self.credentials.get('credentials') | ||
|
|
||
| if not self.azure_credentials: | ||
| self.fail("Failed to authenticate with provided credentials. Some attributes were missing. " | ||
| "Credentials must include client_id, secret and tenant or ad_user and password or " | ||
| "be logged using AzureCLI.") |
There was a problem hiding this comment.
I think still here we should change to "be logged in using Azure CLI"
ansibot
added
affects_2.5
| @@ -82,4 +83,5 @@ class ModuleDocFragment(object): | |||
| a [default] section and the following keys: subscription_id, client_id, secret and tenant or | |||
| subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile | |||
| by passing profile or setting AZURE_PROFILE in the environment." | |||
| - Use 'az login' to login your Azure CLI. | |||
There was a problem hiding this comment.
and here "your" -> "with"
| - For authentication with Azure you can pass parameters, set environment variables or use a profile stored | ||
| in ~/.azure/credentials. Authentication is possible using a service principal or Active Directory user. | ||
| - For authentication with Azure you can pass parameters, set environment variables, use a profile stored | ||
| in ~/.azure/credentials or login with Azure CLI. |
There was a problem hiding this comment.
C(~/.azure/credentials) will give formatted text
Could you please update the other docs, for example C(AZURE_SUBSCRIPTION_ID), etc?
Thanks in advance
gundalow
added
azure
cloud
and removed
needs_triage
ansibot
added
the
needs_revision
|
@gundalow Thanks for your review. I have format the option value in the document. |
| @@ -67,19 +67,27 @@ class ModuleDocFragment(object): | |||
| C(AzureUSGovernment)), or a metadata discovery endpoint URL (required for Azure Stack). Can also be set via credential file profile or | |||
| the C(AZURE_CLOUD_ENVIRONMENT) environment variable. | |||
| default: AzureCloud | |||
| cli_default_profile: | |||
| description: | |||
| - Set to C(true), when login with Azure CLI | |||
There was a problem hiding this comment.
This description doesn't make sense to me.
There was a problem hiding this comment.
How about Whether login with Azure CLI?
There was a problem hiding this comment.
Whether login with Azure CLI sounds better.
What happens if this is false?
Forgive my basic questions, I've not used Azure
There was a problem hiding this comment.
false is the same as NONE, this is a nullable option
| cli_default_profile: | ||
| description: | ||
| - Set to C(true), when login with Azure CLI | ||
| required: false |
There was a problem hiding this comment.
If this is a new option then please add
version_added: "2.5"
There was a problem hiding this comment.
It is a bugfix, the code has this option already, but the document haven't mention this option before.
There was a problem hiding this comment.
ah, OK. Thanks for clarification
|
@yuwzho this PR contains the following merge commits: Please rebase your branch to remove these commits. |
ansibot
added
merge_commit
* Make the ansible use azure-cli credentials * move the setValue out
|
The test |
ansibot
added
the
needs_revision
ansibot
removed
the
needs_revision
|
Hi @haroldwongms @nitzmahone @tstringer , please help take a look at this PR. Thanks very much! |
|
This is not working for me. I hit the error check in lines 245 - 248 when getting credentials. |
|
I missed zapping the UI element for this from 2.4 because it wasn't fully implemented. We definitely want this functionality, but we're talking about a slightly different way to expose it that will be consistent across Ansible cloud modules (probably a new |
|
@nitzmahone You bring up a good point in terms of order of preference. I'm thinking cli should be the highest priority in the chain. |
|
That's not typically the way Ansible does it though- usually we go from closest/most-explicit definition out (some are arguably at the same level, so we choose arbitrarily in those cases and try to be consistent across providers). So module args > env > credential file on disk > CLI would probably be how I'd do it at first blush. For a typical intro cloud-shell user that's using ambient CLI auth, it'll still "just work" because that'd be all they have specified, but that way if someone needs to take more control at a different level (without explicitly specifying the source in the task), they still can. |
|
@haroldwongms I think you are not set the @nitzmahone As for the ansible cloud modules' auth priority, it is another thing we need to think twice and make all the cloud modules consistent. |
|
If I'm understanding @nitzmahone correctly, I'm in agreement with him. Environment variables typically by convention take precedence in Ansible or otherwise. If the end user sets them it should be assumed those are the credentials that you want to use. It's quite intentional. If we were to have CLI profile credentials take precedence then we would run into really bad behaviour if the user explicitly sets env vars for connection and credentials. Best case, that's annoying. Worst case, that's disastrous as they could mutate Azure resources in an unintended subscription. |
|
@tstringer Totally understand. @yuwzho I did set both options and neither option worked for me. |
ansibot
added
stale_ci
ansibot
added
needs_rebase
|
Superseded by #35213 (the new |
ansibot
added
docs
SUMMARY
Ansible can use Azure-CLI's credential to manage azure resources.
ISSUE TYPE
COMPONENT NAME
azure_rm_common
ANSIBLE VERSION
ADDITIONAL INFORMATION
User can login the AzureCLI and select the subscription via the following command. Then if the playbook hasn't specific the credentials, it will use AzureCLI's credential to manage the Azure resources.