Azure CLI --sdk-auth is getting deprecated

Question

Azure CLI --sdk-auth is getting deprecated

d0pare opened this issue 10 months ago · 4 comments

Azure example in this documentation uses --sdk-auth flag to generate credentials. But Microsoft documentation shows that it is deprecated.

Currently, azure cloud provision uses NewEnvironmentCredential that crafts credentials from environment variables previously set from the JSON access token file. A possible alternative is to use ClientSecretCredential and initialize it from the new JSON file that is returned if --sdk-auth is not specified.

New JSON file sample:

{
  "appId": "", // same as client id
  "displayName": "",
  "password": "", // same as client secret
  "tenant": ""
}

Answer 1 · 2024-02-01T10:08:21.000Z

So what do you suggest using instead of passing --sdk-auth to obtain the initial token?

I.e. what replaces?

SUBSCRIPTION_ID="YOUR_SUBSCRIPTION_ID"
az ad sp create-for-rbac --role Contributor --scopes "/subscriptions/$SUBSCRIPTION_ID" --sdk-auth \
  > $HOME/Downloads/client_credentials.json

And is this just a docs change or does code need to change also? I suspect the former?

cc @zechenbit

Answer 2 · 2024-02-01T13:19:54.000Z

There is no alternative to --sdk-auth. The only difference between these flags is the JSON output of the executed command.

JSON with flag

{
  "clientId": "",
  "clientSecret": "",
  "subscriptionId": "",
  "tenantId": "",
  "activeDirectoryEndpointUrl": "",
  "resourceManagerEndpointUrl": "",
  "activeDirectoryGraphResourceId": "",
  "sqlManagementEndpointUrl": "",
  "galleryEndpointUrl": "",
  "managementEndpointUrl": ""
}

JSON without flag

{
  "appId": "",
  "displayName": "",
  "password": "",
  "tenant": ""
}

So, the --sdk-auth should be removed from the command, and the inlets controller should be changed to handle new JSON.

SUBSCRIPTION_ID="YOUR_SUBSCRIPTION_ID"
az ad sp create-for-rbac --role Contributor --scopes "/subscriptions/$SUBSCRIPTION_ID" \
  > $HOME/Downloads/client_credentials.json

Answer 3 · 2024-02-14T11:47:23.000Z

/add label: helpwanted

Answer 4 · 2024-02-15T06:21:20.000Z

Thanks @d0pare for raising this and putting useful information together. I found some related discussions in Azure CLI repository:

How the fields are mapping with and without --sdk-auth: Azure/azure-cli#22297
Azure/azure-cli#20743

Per their discussion (Azure/azure-cli#21693 (comment)), the --sdk-auth won't be removed in near future. Many tools are still relying on this such as https://github.com/marketplace/actions/azure-login.

If it is just the naming, then maybe we can just change our fileToEnvMap: https://github.com/inlets/cloud-provision/blob/master/provision/azure.go#L35

The NewEnvironmentCredential will eventually call NewClientSecretCredential https://github.com/Azure/azure-sdk-for-go/blob/sdk/azidentity/v1.5.1/sdk/azidentity/environment_credential.go#L80