Add AzureCliCredential support in Azure orchestrator (#3822)

Author: Copilot

docs/run_test/azure_auth.rst

@@ -23,6 +23,7 @@ Available Authentication Methods
 4. `Workload Identity Authentication <#workload-identity-authentication>`__
 5. `Token Authentication <#token-authentication>`__
 6. `Client Secret Authentication <#client-secret-authentication>`__
+7. `Azure CLI Authentication <#azure-cli-authentication>`__
 
 Default Credentials
 -------------------
@@ -146,6 +147,26 @@ Example:
            tenant_id: <tenant id> # Required
            client_secret: <client secret> # Required
 
+Azure CLI Authentication
+-----------------------
+This authentication uses the Azure CLI for authentication, which requires previously logging in to Azure via "az login". It will use the CLI's currently logged in identity.
+
+Example:
+
+.. code:: yaml
+
+   platform:
+     - type: azure
+       azure:
+         credential:
+           type: azcli
+           tenant_id: <tenant id> # Optional
+           allow_all_tenants: false | true  # Optional. Default is `false`.
+
+* **type**: `azcli` indicates Azure CLI authentication.
+* **tenant_id**: (Optional) Needed to specify a specific tenant for authentication.
+* **allow_all_tenants**: (Optional) Specifies whether to allow cross-tenant authorization. Default is `false`.
+
 Schema Description
 --------------------
 
@@ -158,5 +179,6 @@ The configuration follows this schema:
   -  **secret**: Uses client secret authentication. Requires `client_secret`.
   -  **workloadidentity**: Uses workload identity authentication.
   -  **token**: Uses token-based authentication. Requires a valid `token`.
+  -  **azcli**: Uses Azure CLI authentication. Requires previously logging in via "az login" and uses the CLI's currently logged in identity.
 
 **Schema Inheritance:** The `default` authentication method defines a base schema that all other authentication types inherit from. Fields such as `allow_all_tenants` are applicable to all authentication methods.

lisa/sut_orchestrator/azure/credential.py

@@ -4,6 +4,7 @@
 from typing import Any, Type, cast
 
 from azure.identity import (
+    AzureCliCredential,
     CertificateCredential,
     ClientAssertionCredential,
     ClientSecretCredential,
@@ -28,6 +29,7 @@ class AzureCredentialType(str, Enum):
     ClientSecretCredential = "secret"
     WorkloadIdentityCredential = "workloadidentity"
     TokenCredential = "token"
+    AzCliCredential = "azcli"
 
 
 @dataclass_json()
@@ -387,3 +389,41 @@ def __init__(
 
     def get_credential(self) -> Any:
         return get_static_access_token(self._token)
+
+
+class AzureCliCredentialImpl(AzureCredential):
+    """
+    Class to create AzureCliCredential based on runbook Schema. Uses Azure CLI
+    for authentication which requires logging in to Azure via "az login" first.
+    """
+
+    @classmethod
+    def type_name(cls) -> str:
+        return AzureCredentialType.AzCliCredential
+
+    @classmethod
+    def type_schema(cls) -> Type[schema.TypedSchema]:
+        return AzureCredentialSchema
+
+    def __init__(
+        self,
+        runbook: AzureCredentialSchema,
+        logger: Logger,
+        cloud: Cloud = AZURE_PUBLIC_CLOUD,
+    ) -> None:
+        super().__init__(runbook, logger=logger, cloud=cloud)
+
+    def get_credential(self) -> Any:
+        """
+        return AzureCliCredential for authentication
+        """
+        self._log.info("Authenticating using AzureCliCredential")
+
+        # Determine additionally_allowed_tenants based on allow_all_tenants setting
+        additionally_allowed_tenants = ["*"] if self._allow_all_tenants else None
+
+        # Create AzureCliCredential with proper parameter types
+        return AzureCliCredential(
+            tenant_id=self._tenant_id,
+            additionally_allowed_tenants=additionally_allowed_tenants,
+        )