Azure CLI login with service principal default subscription set across different sessions.

Question

Azure CLI login with service principal default subscription set across different sessions.

Closed this issue a year ago · 3 comments

jeevanions commented 2 years ago

Prerequisites

Write a descriptive title.
Search the existing issues.
I am reporting the documentation problem for the current version of Azure CLI.

Azure CLI version being used

2.39.0

Link to affected document

https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli#sign-in-with-a-service-principal

Description of the documentation error

We use a Service Principal for automation. In one of the session, we have set the subscription to work, which is set as the default subscription. In one instance, we ran an automation script which ran it against the default subscription. We would like to avoid such defaults.
For example, the automation script manipulates Azure AD objects where we don't need to set a default subscription. We may accidentally run a CLI command which acts on the default subscription. It happened to us once so wondering if there is a way to unset this default and make it to set explicitly everytime we need to work with a subscription.

Suggested fix

No response

Answer 1 · 2022-11-03T15:21:30.000Z

@jeevanions

Thanks for your feedback! We will investigate and update as appropriate.

Answer 2 · 2023-05-02T23:57:38.000Z

@jeevanions, Your use case scenario makes a lot of sense. However, the Azure CLI requires a default subscription just like the Azure portal requires you to pick a subscription before you can manage a resource. To switch subscriptions, you have to use az account set.

In response to your comments, I have sent a suggestion over to the Azure CLI engineering team for a az account set empty but that would be a significant change to the product. If you have a script that is run between multiple environments, I suggest setting up a config file, setting a variable at the top of each script for the subscription ID, and explicitly setting the subscription.

Answer 3 · 2023-05-05T06:57:53.000Z

A default account doesn't only mean a subscription. It is more like a combination of subscription, tenant and user identity. That's why we call it an account, instead of a subscription.

For example, when you run az account show:

> az account show
{
  "environmentName": "AzureCloud",
  "homeTenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
  "id": "0b1f6471-1bf0-4dda-aec3-cb9272f09590",
  "isDefault": true,
  "managedByTenants": [
    {
      "tenantId": "2f4a9838-26b7-47ee-be60-ccc1fdec5953"
    }
  ],
  "name": "AzureSDKTest",
  "state": "Enabled",
  "tenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
  "user": {
    "name": "xxx@microsoft.com",
    "type": "user"
  }
}

Azure CLI relies on this information to decide which subscription, tenant and user identity to use. Without a default account, Azure CLI won't even know which tenant or user to use for authentication. In other words, to support no-default-account, we should also add --tenant and --user to each command in addition to --subscription.