Skip to content
This repository has been archived by the owner on Sep 29, 2020. It is now read-only.

Support for Azure account with multiple tenants #8

Closed
josephpage opened this issue Jun 26, 2020 · 5 comments
Closed

Support for Azure account with multiple tenants #8

josephpage opened this issue Jun 26, 2020 · 5 comments
Assignees
@gtardif
Labels
enhancement New feature or request

Comments

@josephpage
Copy link

Context

My Azure account have 2 tenants :

  • the corporate and main one, used only for AD, with no subscription
  • my team's tenant, with multiple subscriptions
$ docker version
Client: Docker Engine - Community
 Azure integration  0.1.4
 Version:           19.03.12
 API version:       1.40
 Go version:        go1.13.10
 Git commit:        48a66213fe
 Built:             Mon Jun 22 15:41:33 2020
 OS/Arch:           darwin/amd64
 Experimental:      true

Issue

The docker context create aci command seems to use only the first one, and I have not found a option to change it :

$ docker context create aci azure
no subscriptions found

Proposition

When using the az account list, there is homeTenantId property, this is what I want to be able to configure

$ docker login azure --tenant-id <tenant-id>
# or
docker context create aci azure --tenant-id <tenant-id>

Alternative proposition

The docker client should iterate over all account's tenants when searching for subscriptions, as the az client does.
@gtardif gtardif added the enhancement New feature or request label Jun 29, 2020
@gtardif gtardif self-assigned this Jun 30, 2020
@gtardif gtardif mentioned this issue Jul 1, 2020
Merged
@karolz-ms
Copy link

If subscription is passed using --subscription-id parameter, will the AAD tenant associated with this subscription be automatically picked up?

@amd989
Copy link

amd989 commented Jul 22, 2020

@karolz-ms I tried passing the --subscription-id parameter and got this (formatted for clarity):

PS C:\> docker context create aci test --subscription-id xxxxxx-xxxxxx-xxxxxxx-xxxxxx
resources.GroupsClient#List: Failure responding to request: 
StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 
Code="InvalidAuthenticationTokenTenant" 
Message="The access token is from the wrong issuer 'https://sts.windows.net/xxxxxx-xxxxxx-xxxxxxx-xxxxxx/'. It must match one of the tenants 'https://sts.windows.net/xxxxxx-xxxxxx-xxxxxxx-xxxxxx1/,https://sts.windows.net/xxxxxx-xxxxxx-xxxxxxx-xxxxxx2/' associated with this subscription. 
Please use any authority (URL) from 'https://login.windows.net/xxxxxx-xxxxxx-xxxxxxx-xxxxxx1,https://login.windows.net/xxxxxx-xxxxxx-xxxxxxx-xxxxxx2' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."

@karolz-ms
Copy link

@amd989 are you able to work around this problem by using --tenant-id flag for docker login azure? This flag is supported in Edge 2.3.3.2 build 46784 or later.

@karolz-ms karolz-ms mentioned this issue Jul 28, 2020
Closed
@gtardif
Copy link
Collaborator

gtardif commented Sep 15, 2020

I'll close this one as you should be able to specify docker login azure --tenant-id xxx. Please reopen if this still does not work

@gtardif gtardif closed this as completed Sep 15, 2020
@josephpage
Copy link
Author

It works. Thanks !

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gtardif gtardif

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@josephpage @gtardif @amd989 @karolz-ms