Skip to content

Commit 6ea66d1

Browse files
jiaslijiasli
authored
[Core] Use MSAL for managed identity authentication (#25959)
1 parent 4108043 commit 6ea66d1

File tree

2 files changed

+23
-27
lines changed

2 files changed

+23
-27
lines changed

src/azure-cli-core/azure/cli/core/_profile.py

Lines changed: 13 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -220,13 +220,9 @@ def login(self,
220220
self._set_subscriptions(consolidated)
221221
return deepcopy(consolidated)
222222

223-
def login_with_managed_identity(self, client_id=None, object_id=None, resource_id=None,
224-
allow_no_subscriptions=None):
225-
if _use_msal_managed_identity(self.cli_ctx):
226-
return self.login_with_managed_identity_msal(
227-
client_id=client_id, object_id=object_id, resource_id=resource_id,
228-
allow_no_subscriptions=allow_no_subscriptions)
229-
223+
def login_with_managed_identity_msrestazure(self, client_id=None, object_id=None, resource_id=None,
224+
allow_no_subscriptions=None):
225+
# Old way of using msrestazure for managed identity
230226
import jwt
231227
from azure.cli.core.auth.adal_authentication import MSIAuthenticationWrapper
232228
resource = self.cli_ctx.cloud.endpoints.active_directory_resource_id
@@ -274,8 +270,13 @@ def login_with_managed_identity(self, client_id=None, object_id=None, resource_i
274270
self._set_subscriptions(consolidated)
275271
return deepcopy(consolidated)
276272

277-
def login_with_managed_identity_msal(self, client_id=None, object_id=None, resource_id=None,
278-
allow_no_subscriptions=None):
273+
def login_with_managed_identity(self, client_id=None, object_id=None, resource_id=None,
274+
allow_no_subscriptions=None):
275+
if not _use_msal_managed_identity(self.cli_ctx):
276+
return self.login_with_managed_identity_msrestazure(
277+
client_id=client_id, object_id=object_id, resource_id=resource_id,
278+
allow_no_subscriptions=allow_no_subscriptions)
279+
279280
import jwt
280281
from .auth.constants import ACCESS_TOKEN
281282

@@ -986,10 +987,8 @@ def _create_identity_instance(cli_ctx, authority, tenant_id=None, client_id=None
986987

987988

988989
def _use_msal_managed_identity(cli_ctx):
989-
# This indicates an Azure Arc-enabled server
990-
from msal.managed_identity import get_managed_identity_source, AZURE_ARC
991990
from azure.cli.core.telemetry import set_use_msal_managed_identity
992-
# PREVIEW: Use core.use_msal_managed_identity=true to enable managed identity authentication with MSAL
993-
use_msal_managed_identity = cli_ctx.config.getboolean('core', 'use_msal_managed_identity', fallback=False)
991+
# Use core.use_msal_managed_identity=false to use the old msrestazure implementation
992+
use_msal_managed_identity = cli_ctx.config.getboolean('core', 'use_msal_managed_identity', fallback=True)
994993
set_use_msal_managed_identity(use_msal_managed_identity)
995-
return use_msal_managed_identity or get_managed_identity_source() == AZURE_ARC
994+
return use_msal_managed_identity

src/azure-cli-core/azure/cli/core/tests/test_profile.py

Lines changed: 10 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -536,6 +536,7 @@ def test_login_in_cloud_shell(self, cloud_shell_credential_mock, create_subscrip
536536

537537
@mock.patch('requests.get', autospec=True)
538538
@mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True)
539+
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'false'})
539540
def test_login_with_mi_system_assigned(self, create_subscription_client_mock, mock_get):
540541
mock_subscription_client = mock.MagicMock()
541542
mock_subscription_client.subscriptions.list.return_value = [deepcopy(self.subscription1_raw)]
@@ -569,6 +570,7 @@ def test_login_with_mi_system_assigned(self, create_subscription_client_mock, mo
569570

570571
@mock.patch('requests.get', autospec=True)
571572
@mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True)
573+
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'false'})
572574
def test_login_with_mi_no_subscriptions(self, create_subscription_client_mock, mock_get):
573575
mock_subscription_client = mock.MagicMock()
574576
mock_subscription_client.subscriptions.list.return_value = []
@@ -604,6 +606,7 @@ def test_login_with_mi_no_subscriptions(self, create_subscription_client_mock, m
604606

605607
@mock.patch('requests.get', autospec=True)
606608
@mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True)
609+
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'false'})
607610
def test_login_with_mi_user_assigned_client_id(self, create_subscription_client_mock, mock_get):
608611
mock_subscription_client = mock.MagicMock()
609612
mock_subscription_client.subscriptions.list.return_value = [deepcopy(self.subscription1_raw)]
@@ -638,6 +641,7 @@ def test_login_with_mi_user_assigned_client_id(self, create_subscription_client_
638641

639642
@mock.patch('azure.cli.core.auth.adal_authentication.MSIAuthenticationWrapper', autospec=True)
640643
@mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True)
644+
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'false'})
641645
def test_login_with_mi_user_assigned_object_id(self, create_subscription_client_mock,
642646
mock_msi_auth):
643647
mock_subscription_client = mock.MagicMock()
@@ -678,6 +682,7 @@ def set_token(self):
678682

679683
@mock.patch('requests.get', autospec=True)
680684
@mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True)
685+
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'false'})
681686
def test_login_with_mi_user_assigned_resource_id(self, create_subscription_client_mock,
682687
mock_get):
683688

@@ -711,7 +716,6 @@ def test_login_with_mi_user_assigned_resource_id(self, create_subscription_clien
711716

712717
@mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True)
713718
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
714-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
715719
def test_login_with_mi_system_assigned_msal(self, create_subscription_client_mock):
716720
mock_subscription_client = mock.MagicMock()
717721
mock_subscription_client.subscriptions.list.return_value = [deepcopy(self.subscription1_raw)]
@@ -739,7 +743,6 @@ def test_login_with_mi_system_assigned_msal(self, create_subscription_client_moc
739743

740744
@mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True)
741745
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
742-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
743746
def test_login_with_mi_system_assigned_no_subscriptions_msal(self, create_subscription_client_mock):
744747
mock_subscription_client = mock.MagicMock()
745748
mock_subscription_client.subscriptions.list.return_value = []
@@ -769,7 +772,6 @@ def test_login_with_mi_system_assigned_no_subscriptions_msal(self, create_subscr
769772

770773
@mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True)
771774
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
772-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
773775
def test_login_with_mi_user_assigned_client_id_msal(self, create_subscription_client_mock):
774776
mock_subscription_client = mock.MagicMock()
775777
mock_subscription_client.subscriptions.list.return_value = [deepcopy(self.subscription1_raw)]
@@ -798,7 +800,6 @@ def test_login_with_mi_user_assigned_client_id_msal(self, create_subscription_cl
798800

799801
@mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True)
800802
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
801-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
802803
def test_login_with_mi_user_assigned_object_id_msal(self, create_subscription_client_mock):
803804
mock_subscription_client = mock.MagicMock()
804805
mock_subscription_client.subscriptions.list.return_value = [deepcopy(self.subscription1_raw)]
@@ -822,7 +823,6 @@ def test_login_with_mi_user_assigned_object_id_msal(self, create_subscription_cl
822823

823824
@mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True)
824825
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
825-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
826826
def test_login_with_mi_user_assigned_resource_id_msal(self, create_subscription_client_mock):
827827
mock_subscription_client = mock.MagicMock()
828828
mock_subscription_client.subscriptions.list.return_value = [deepcopy(self.subscription1_raw)]
@@ -1158,6 +1158,7 @@ def test_get_login_credentials_aux_tenants(self, get_user_credential_mock):
11581158
aux_tenants=[test_tenant_id2])
11591159

11601160
@mock.patch('azure.cli.core.auth.adal_authentication.MSIAuthenticationWrapper', MSRestAzureAuthStub)
1161+
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'false'})
11611162
def test_get_login_credentials_mi_system_assigned(self):
11621163
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
11631164
consolidated = profile._normalize_properties('systemAssignedIdentity',
@@ -1177,6 +1178,7 @@ def test_get_login_credentials_mi_system_assigned(self):
11771178
self.assertTrue(cred.token_read_count)
11781179

11791180
@mock.patch('azure.cli.core.auth.adal_authentication.MSIAuthenticationWrapper', MSRestAzureAuthStub)
1181+
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'false'})
11801182
def test_get_login_credentials_mi_user_assigned_with_client_id(self):
11811183
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
11821184
test_client_id = '12345678-38d6-4fb2-bad9-b7b93a3e8888'
@@ -1198,6 +1200,7 @@ def test_get_login_credentials_mi_user_assigned_with_client_id(self):
11981200
self.assertTrue(cred.client_id, test_client_id)
11991201

12001202
@mock.patch('azure.cli.core.auth.adal_authentication.MSIAuthenticationWrapper', MSRestAzureAuthStub)
1203+
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'false'})
12011204
def test_get_login_credentials_mi_user_assigned_with_object_id(self):
12021205
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
12031206
test_object_id = '12345678-38d6-4fb2-bad9-b7b93a3e9999'
@@ -1219,6 +1222,7 @@ def test_get_login_credentials_mi_user_assigned_with_object_id(self):
12191222
self.assertTrue(cred.object_id, test_object_id)
12201223

12211224
@mock.patch('azure.cli.core.auth.adal_authentication.MSIAuthenticationWrapper', MSRestAzureAuthStub)
1225+
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'false'})
12221226
def test_get_login_credentials_mi_user_assigned_with_res_id(self):
12231227
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
12241228
test_res_id = ('/subscriptions/{}/resourceGroups/r1/providers/Microsoft.ManagedIdentity/'
@@ -1241,7 +1245,6 @@ def test_get_login_credentials_mi_user_assigned_with_res_id(self):
12411245
self.assertTrue(cred.msi_res_id, test_res_id)
12421246

12431247
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
1244-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
12451248
def test_get_login_credentials_mi_system_assigned_msal(self):
12461249
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
12471250
consolidated = profile._normalize_properties('systemAssignedIdentity',
@@ -1258,7 +1261,6 @@ def test_get_login_credentials_mi_system_assigned_msal(self):
12581261
assert cred._credential.resource_id is None
12591262

12601263
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
1261-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
12621264
def test_get_login_credentials_mi_user_assigned_client_id_msal(self):
12631265
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
12641266
consolidated = profile._normalize_properties(
@@ -1277,7 +1279,6 @@ def test_get_login_credentials_mi_user_assigned_client_id_msal(self):
12771279
assert cred._credential.resource_id is None
12781280

12791281
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
1280-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
12811282
def test_get_login_credentials_mi_user_assigned_object_id_msal(self):
12821283
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
12831284
consolidated = profile._normalize_properties(
@@ -1296,7 +1297,6 @@ def test_get_login_credentials_mi_user_assigned_object_id_msal(self):
12961297
assert cred._credential.resource_id is None
12971298

12981299
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
1299-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
13001300
def test_get_login_credentials_mi_user_assigned_resource_id_msal(self):
13011301
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
13021302
consolidated = profile._normalize_properties(
@@ -1403,6 +1403,7 @@ def test_get_raw_token_for_sp(self, get_service_principal_credential_mock):
14031403
self.assertEqual(tenant, self.tenant_id)
14041404

14051405
@mock.patch('azure.cli.core.auth.adal_authentication.MSIAuthenticationWrapper', autospec=True)
1406+
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'false'})
14061407
def test_get_raw_token_mi_system_assigned(self, mock_msi_auth):
14071408
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
14081409
consolidated = profile._normalize_properties('systemAssignedIdentity',
@@ -1442,7 +1443,6 @@ def mi_auth_factory(*args, **kwargs):
14421443

14431444
@mock.patch('azure.cli.core.auth.util._now_timestamp', new=_now_timestamp_mock)
14441445
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
1445-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
14461446
def test_get_raw_token_mi_system_assigned_msal(self):
14471447
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
14481448
consolidated = profile._normalize_properties('systemAssignedIdentity',
@@ -1477,7 +1477,6 @@ def test_get_raw_token_mi_system_assigned_msal(self):
14771477

14781478
@mock.patch('azure.cli.core.auth.util._now_timestamp', new=_now_timestamp_mock)
14791479
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
1480-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
14811480
def test_get_raw_token_mi_user_assigned_client_id_msal(self):
14821481
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
14831482
consolidated = profile._normalize_properties(
@@ -1509,7 +1508,6 @@ def test_get_raw_token_mi_user_assigned_client_id_msal(self):
15091508

15101509
@mock.patch('azure.cli.core.auth.util._now_timestamp', new=_now_timestamp_mock)
15111510
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
1512-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
15131511
def test_get_raw_token_mi_user_assigned_object_id_msal(self):
15141512
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
15151513
consolidated = profile._normalize_properties(
@@ -1541,7 +1539,6 @@ def test_get_raw_token_mi_user_assigned_object_id_msal(self):
15411539

15421540
@mock.patch('azure.cli.core.auth.util._now_timestamp', new=_now_timestamp_mock)
15431541
@mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
1544-
@mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'})
15451542
def test_get_raw_token_mi_user_assigned_resource_id_msal(self):
15461543
profile = Profile(cli_ctx=DummyCli(), storage={'subscriptions': None})
15471544
consolidated = profile._normalize_properties(

0 commit comments

Comments
 (0)