managed-identity-id

Author: jiasli

src/azure-cli-core/azure/cli/core/_profile.py

@@ -60,6 +60,11 @@
 
 _AZ_LOGIN_MESSAGE = "Please run 'az login' to setup account."
 
+MANAGED_IDENTITY_ID_WARNING = (
+    "Passing the managed identity ID with --username is deprecated and will be removed in a future release. "
+    "Please use --client-id, --object-id or --resource-id instead."
+)
+
 
 def load_subscriptions(cli_ctx, all_clouds=False, refresh=False):
     profile = Profile(cli_ctx=cli_ctx)
@@ -219,7 +224,8 @@ def login(self,
         self._set_subscriptions(consolidated)
         return deepcopy(consolidated)
 
-    def login_with_managed_identity(self, identity_id=None, allow_no_subscriptions=None):
+    def login_with_managed_identity(self, identity_id=None, client_id=None, object_id=None, resource_id=None,
+                                    allow_no_subscriptions=None):
         if _on_azure_arc():
             return self.login_with_managed_identity_azure_arc(
                 identity_id=identity_id, allow_no_subscriptions=allow_no_subscriptions)
@@ -229,7 +235,24 @@ def login_with_managed_identity(self, identity_id=None, allow_no_subscriptions=N
         from azure.cli.core.auth.adal_authentication import MSIAuthenticationWrapper
         resource = self.cli_ctx.cloud.endpoints.active_directory_resource_id
 
-        if identity_id:
+        if not any((identity_id, client_id, object_id, resource_id)):
+            identity_type = MsiAccountTypes.system_assigned
+            msi_creds = MSIAuthenticationWrapper(resource=resource)
+        elif client_id:
+            identity_type = MsiAccountTypes.user_assigned_client_id
+            identity_id = client_id
+            msi_creds = MSIAuthenticationWrapper(resource=resource, client_id=client_id)
+        elif object_id:
+            identity_type = MsiAccountTypes.user_assigned_object_id
+            identity_id = object_id
+            msi_creds = MSIAuthenticationWrapper(resource=resource, object_id=object_id)
+        elif resource_id:
+            identity_type = MsiAccountTypes.user_assigned_resource_id
+            identity_id = resource_id
+            msi_creds = MSIAuthenticationWrapper(resource=resource, msi_res_id=resource_id)
+        # The old way of re-using the same --username for 3 types of ID
+        elif identity_id:
+            logger.warning(MANAGED_IDENTITY_ID_WARNING)
             if is_valid_resource_id(identity_id):
                 msi_creds = MSIAuthenticationWrapper(resource=resource, msi_res_id=identity_id)
                 identity_type = MsiAccountTypes.user_assigned_resource_id
@@ -260,10 +283,6 @@ def login_with_managed_identity(self, identity_id=None, allow_no_subscriptions=N
                 if not authenticated:
                     raise CLIError('Failed to connect to MSI, check your managed service identity id.')
 
-        else:
-            identity_type = MsiAccountTypes.system_assigned
-            msi_creds = MSIAuthenticationWrapper(resource=resource)
-
         token_entry = msi_creds.token
         token = token_entry['access_token']
         logger.info('MSI: token was retrieved. Now trying to initialize local accounts...')

src/azure-cli/azure/cli/command_modules/profile/__init__.py

@@ -75,6 +75,12 @@ def load_arguments(self, command):
             # Managed identity
             c.argument('identity', options_list=('-i', '--identity'), action='store_true',
                        help="Log in using managed identity", arg_group='Managed Identity')
+            c.argument('client_id',
+                       help="Client ID of the user-assigned managed identity", arg_group='Managed Identity')
+            c.argument('object_id',
+                       help="Object ID of the user-assigned managed identity", arg_group='Managed Identity')
+            c.argument('resource_id',
+                       help="Resource ID of the user-assigned managed identity", arg_group='Managed Identity')
 
         with self.argument_context('logout') as c:
             c.argument('username', help='account user, if missing, logout the current active account')

src/azure-cli/azure/cli/command_modules/profile/_help.py

@@ -43,8 +43,8 @@
       text: az login --service-principal --username APP_ID --certificate /path/to/cert.pem --tenant TENANT_ID
     - name: Log in with a system-assigned managed identity.
       text: az login --identity
-    - name: Log in with a user-assigned managed identity. You must specify the client ID, object ID or resource ID of the user-assigned managed identity with --username.
-      text: az login --identity --username 00000000-0000-0000-0000-000000000000
+    - name: Log in with a user-assigned managed identity's client ID.
+      text: az login --identity --client-id 00000000-0000-0000-0000-000000000000
 """
 
 helps['account'] = """

src/azure-cli/azure/cli/command_modules/profile/custom.py

@@ -121,7 +121,7 @@ def login(cmd, username=None, password=None, tenant=None, scopes=None, allow_no_
           # Service principal
           service_principal=None, certificate=None, use_cert_sn_issuer=None, client_assertion=None,
           # Managed identity
-          identity=False):
+          identity=False, client_id=None, object_id=None, resource_id=None):
     """Log in to access Azure subscriptions"""
 
     # quick argument usage check
@@ -143,7 +143,9 @@ def login(cmd, username=None, password=None, tenant=None, scopes=None, allow_no_
     if identity:
         if in_cloud_console():
             return profile.login_in_cloud_shell()
-        return profile.login_with_managed_identity(username, allow_no_subscriptions)
+        return profile.login_with_managed_identity(
+            identity_id=username, client_id=client_id, object_id=object_id, resource_id=resource_id,
+            allow_no_subscriptions=allow_no_subscriptions)
     if in_cloud_console():  # tell users they might not need login
         logger.warning(_CLOUD_CONSOLE_LOGIN_WARNING)