New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix ansible can use azure-cli credentials #31871
Conversation
- For authentication with Azure you can pass parameters, set environment variables or use a profile stored | ||
in ~/.azure/credentials. Authentication is possible using a service principal or Active Directory user. | ||
- For authentication with Azure you can pass parameters, set environment variables, use a profile stored | ||
in ~/.azure/credentials or login your AzureCLI. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"login your Azure CLI" -> "login with Azure CLI"
@@ -82,4 +83,5 @@ class ModuleDocFragment(object): | |||
a [default] section and the following keys: subscription_id, client_id, secret and tenant or | |||
subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile | |||
by passing profile or setting AZURE_PROFILE in the environment." | |||
- Use 'az login' to login your AzureCLI. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AzureCLI -> Azure CLI
elif self.credentials.get('credentials') is not None: | ||
self.azure_credentials = self.credentials.get('credentials') | ||
|
||
if not self.azure_credentials: | ||
self.fail("Failed to authenticate with provided credentials. Some attributes were missing. " | ||
"Credentials must include client_id, secret and tenant or ad_user and password or " | ||
"be logged using AzureCLI.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think still here we should change to "be logged in using Azure CLI"
@@ -82,4 +83,5 @@ class ModuleDocFragment(object): | |||
a [default] section and the following keys: subscription_id, client_id, secret and tenant or | |||
subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile | |||
by passing profile or setting AZURE_PROFILE in the environment." | |||
- Use 'az login' to login your Azure CLI. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and here "your" -> "with"
- For authentication with Azure you can pass parameters, set environment variables or use a profile stored | ||
in ~/.azure/credentials. Authentication is possible using a service principal or Active Directory user. | ||
- For authentication with Azure you can pass parameters, set environment variables, use a profile stored | ||
in ~/.azure/credentials or login with Azure CLI. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
C(~/.azure/credentials)
will give formatted text
Could you please update the other docs, for example C(AZURE_SUBSCRIPTION_ID)
, etc?
Thanks in advance
@gundalow Thanks for your review. I have format the option value in the document. |
@@ -67,19 +67,27 @@ class ModuleDocFragment(object): | |||
C(AzureUSGovernment)), or a metadata discovery endpoint URL (required for Azure Stack). Can also be set via credential file profile or | |||
the C(AZURE_CLOUD_ENVIRONMENT) environment variable. | |||
default: AzureCloud | |||
cli_default_profile: | |||
description: | |||
- Set to C(true), when login with Azure CLI |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This description doesn't make sense to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about Whether login with Azure CLI
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Whether login with Azure CLI
sounds better.
What happens if this is false
?
Forgive my basic questions, I've not used Azure
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
false
is the same as NONE
, this is a nullable option
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Has updated
cli_default_profile: | ||
description: | ||
- Set to C(true), when login with Azure CLI | ||
required: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is a new option then please add
version_added: "2.5"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is a bugfix, the code has this option already, but the document haven't mention this option before.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, OK. Thanks for clarification
@yuwzho this PR contains the following merge commits: Please rebase your branch to remove these commits. |
* Make the ansible use azure-cli credentials * move the setValue out
The test
|
Hi @haroldwongms @nitzmahone @tstringer , please help take a look at this PR. Thanks very much! |
This is not working for me. I hit the error check in lines 245 - 248 when getting credentials. |
I missed zapping the UI element for this from 2.4 because it wasn't fully implemented. We definitely want this functionality, but we're talking about a slightly different way to expose it that will be consistent across Ansible cloud modules (probably a new |
@nitzmahone You bring up a good point in terms of order of preference. I'm thinking cli should be the highest priority in the chain. |
That's not typically the way Ansible does it though- usually we go from closest/most-explicit definition out (some are arguably at the same level, so we choose arbitrarily in those cases and try to be consistent across providers). So module args > env > credential file on disk > CLI would probably be how I'd do it at first blush. For a typical intro cloud-shell user that's using ambient CLI auth, it'll still "just work" because that'd be all they have specified, but that way if someone needs to take more control at a different level (without explicitly specifying the source in the task), they still can. |
@haroldwongms I think you are not set the @nitzmahone As for the ansible cloud modules' auth priority, it is another thing we need to think twice and make all the cloud modules consistent. |
If I'm understanding @nitzmahone correctly, I'm in agreement with him. Environment variables typically by convention take precedence in Ansible or otherwise. If the end user sets them it should be assumed those are the credentials that you want to use. It's quite intentional. If we were to have CLI profile credentials take precedence then we would run into really bad behaviour if the user explicitly sets env vars for connection and credentials. Best case, that's annoying. Worst case, that's disastrous as they could mutate Azure resources in an unintended subscription. |
@tstringer Totally understand. @yuwzho I did set both options and neither option worked for me. |
Superseded by #35213 (the new |
SUMMARY
Ansible can use Azure-CLI's credential to manage azure resources.
ISSUE TYPE
COMPONENT NAME
azure_rm_common
ANSIBLE VERSION
ADDITIONAL INFORMATION
User can login the AzureCLI and select the subscription via the following command. Then if the playbook hasn't specific the credentials, it will use AzureCLI's credential to manage the Azure resources.