az login does not handle passwords that start with dashes

[felipeek]

Describe the bug

Our last automated credential rotation generated a client_secret with this format:

"client_secret": "-l98Q~YSXrE7**REDACTED**K2GF7JH.dAc"

Our automated scripts run this:

az login --service-principal --username "$CLIENT_ID" --password "$CLIENT_SECRET" --tenant "$TENANT_ID"

Where, in this case, CLIENT_SECRET="-l98Q~YSXrE7**REDACTED**K2GF7JH.dAc".

This messes up azcli:

argument --password/-p: expected one argument

Presumably, since the client-secret starts with a dash, it considers it a cli parameter instead of the value of --password.

Related command

az login --service-principal --username "$CLIENT_ID" --password "$CLIENT_SECRET" --tenant "$TENANT_ID"

Errors

argument --password/-p: expected one argument

Issue script & Debug output

az login --service-principal --username "$CLIENT_ID" --password "$CLIENT_SECRET" --tenant "$TENANT_ID" --debug
cli.knack.cli: Command arguments: ['login', '--service-principal', '--username', 'REDACTED', '--password', '-l98Q~YSXrEREDACTED7JH.dAc', '--tenant', 'REDACTED', '--debug']
cli.knack.cli: init debug log:
Enable color in terminal.
cli.knack.cli: Event: Cli.PreExecute []
cli.knack.cli: Event: CommandParser.OnGlobalArgumentsCreate [<function CLILogging.on_global_arguments at 0x10298f560>, <function OutputProducer.on_global_arguments at 0x102cfca40>, <function CLIQuery.on_global_arguments at 0x102d1e520>]
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableCreate []
cli.azure.cli.core: Modules found from index for 'login': ['azure.cli.command_modules.profile']
cli.azure.cli.core: Loading command modules:
cli.azure.cli.core: Name Load Time Groups Commands
cli.azure.cli.core: profile 0.004 2 8
cli.azure.cli.core: Total (1) 0.004 2 8
cli.azure.cli.core: These extensions are not installed and will be skipped: ['azext_ai_examples', 'azext_next']
cli.azure.cli.core: Loading extensions:
cli.azure.cli.core: Name Load Time Groups Commands Directory
cli.azure.cli.core: Total (0) 0.000 0 0
cli.azure.cli.core: Loaded 2 groups, 8 commands.
cli.azure.cli.core: Found a match in the command table.
cli.azure.cli.core: Raw command : login
cli.azure.cli.core: Command table: login
cli.knack.cli: Event: CommandInvoker.OnPreCommandTableTruncate [<function AzCliLogging.init_command_file_logging at 0x104ac23e0>]
cli.azure.cli.core.azlogging: metadata file logging enabled - writing logs to '/Users/I843484/.azure/commands/2025-01-07.13-42-53.login.87290.log'.
az_command_data_logger: command args: login --service-principal --username {} --password -l{} --tenant {} --debug
cli.knack.cli: Event: CommandInvoker.OnPreArgumentLoad [<function register_global_subscription_argument..add_subscription_parameter at 0x104af3f60>]
cli.knack.cli: Event: CommandInvoker.OnPostArgumentLoad []
cli.knack.cli: Event: CommandInvoker.OnPostCommandTableCreate [<function register_ids_argument..add_ids_arguments at 0x104b13560>, <function register_cache_arguments..add_cache_arguments at 0x104b136a0>, <function register_upcoming_breaking_change_info..update_breaking_change_info at 0x104b13740>]
cli.knack.cli: Event: CommandInvoker.OnCommandTableLoaded []
cli.knack.cli: Event: CommandInvoker.OnPreParseArgs []
cli.azure.cli.core.command_recommender: "-l" is an invalid parameter for command "login".
urllib3.connectionpool: Starting new HTTPS connection (1): app.aladdin.microsoft.com:443
urllib3.connectionpool: https://app.aladdin.microsoft.com:443 "REDACTED" 200 None
cli.azure.cli.core.command_recommender: "-l" is an invalid parameter for command "login".
cli.azure.cli.core.azclierror: Traceback (most recent call last):
File "/opt/homebrew/Cellar/python@3.11/3.11.10/Frameworks/Python.framework/Versions/3.11/lib/python3.11/argparse.py", line 1907, in parse_known_args
namespace, args = self._parse_known_args(args, namespace)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/python@3.11/3.11.10/Frameworks/Python.framework/Versions/3.11/lib/python3.11/argparse.py", line 2128, in _parse_known_args
start_index = consume_optional(start_index)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/python@3.11/3.11.10/Frameworks/Python.framework/Versions/3.11/lib/python3.11/argparse.py", line 2058, in consume_optional
arg_count = match_argument(action, selected_patterns)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/homebrew/Cellar/python@3.11/3.11.10/Frameworks/Python.framework/Versions/3.11/lib/python3.11/argparse.py", line 2222, in _match_argument
raise ArgumentError(action, msg)
argparse.ArgumentError: argument --password/-p: expected one argument

cli.azure.cli.core.azclierror: argument --password/-p: expected one argument
az_command_data_logger: argument --password/-p: expected one argument

Examples from AI knowledge base:
az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p VerySecret --tenant contoso.onmicrosoft.com
Log in with a service principal using client secret. Use -p=secret if the first character of the password is '-'.

az login --service-principal -u http://azure-cli-2016-08-05-14-31-15 -p ~/mycertfile.pem --tenant contoso.onmicrosoft.com
Log in with a service principal using client certificate.

az login -u johndoe@contoso.com -p VerySecret
Log in with username and password. This doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled. Use -p=secret if the first character of the password is '-'.

https://aka.ms/cli_ref
Read more about the command in reference docs
cli.knack.cli: Event: Cli.PostExecute [<function AzCliLogging.deinit_cmd_metadata_logging at 0x104ac2660>]
az_command_data_logger: exit code: 2
cli.main: Command ran in 1.296 seconds (init: 0.158, invoke: 1.138)
telemetry.main: Begin splitting cli events and extra events, total events: 1
telemetry.client: Accumulated 0 events. Flush the clients.
telemetry.main: Finish splitting cli events and extra events, cli events: 1
telemetry.save: Save telemetry record of length 4141 in cache file under /Users/I843484/.azure/telemetry/20250107134254988
telemetry.main: Begin creating telemetry upload process.
telemetry.process: Creating upload process: "/opt/homebrew/Cellar/azure-cli/2.64.0/libexec/bin/python /opt/homebrew/Cellar/azure-cli/2.64.0/libexec/lib/python3.11/site-packages/azure/cli/telemetry/init.py /Users/I843484/.azure /Users/I843484/.azure/telemetry/20250107134254988"
telemetry.process: Return from creating process 87300
telemetry.main: Finish creating telemetry upload process.

Expected behavior

Login should work

Environment Summary

azure-cli 2.64.0 *

core 2.64.0 *
telemetry 1.1.0

Extensions:
costmanagement 0.3.0

Dependencies:
msal 1.30.0
azure-mgmt-resource 23.1.1

Python location '/opt/homebrew/Cellar/azure-cli/2.64.0/libexec/bin/python'
Extensions directory '/Users/I843484/.azure/cliextensions'

Python (Darwin) 3.11.10 (main, Sep 7 2024, 01:03:31) [Clang 15.0.0 (clang-1500.3.9.4)]

Legal docs and information: aka.ms/AzureCliLegal

You have 2 update(s) available. Consider updating your CLI installation with 'az upgrade'

Additional context

No response

[azure-client-tools-bot-prd]

Hi @felipeek,

2.64.0 is not the latest Azure CLI(2.67.0).

If you haven't already attempted to do so, please upgrade to the latest Azure CLI version by following https://learn.microsoft.com/en-us/cli/azure/update-azure-cli.

[yonzhan]

Thank you for opening this issue, we will look into it.

[github-actions]

Here are some similar issues that might help you. Please check if they can solve your problem.

• Certain passwords don't allow you to log-in #12332
• fail to login in when the password is starts with '-' #23580
• az login fails with Azure AD service principal and certain client secrets. #12105
• Azure password not working if password starts or contains "-" #7054
• az login -u <username> -p <password> does not work if <password> starts with a hyphen #15493

---

Possible solution (Extracted from existing issue, might be incorrect; please verify carefully)

Solution 1:

This is a known issue in Python that the leading character '-' will confuse the argument parser to make it as an option name. You can fix this issue by adding '=' between the option name and value: az login --username=$CLIENT_ID --password=$CLIENT_SECRET --tenant=$TENANT_ID

Reference:

• Certain passwords don't allow you to log-in #12332 (comment)
• az login fails with Azure AD service principal and certain client secrets. #12105 (comment)

Solution 2:

The solution is already provided in #7054 (comment). We also have official documentation for it: https://learn.microsoft.com/en-us/cli/azure/use-cli-effectively#use-hyphen-characters-in-parameters

Reference:

• Azure password not working if password starts or contains "-" #7054 (comment)

[felipeek]

it's a duplicate.