Add Subscription property to AzureCliCredentialOptions (Azure#47817)

Author: christothes

sdk/identity/Azure.Identity/CHANGELOG.md

@@ -3,6 +3,7 @@
 ## 1.14.0-beta.1 (Unreleased)
 
 ### Features Added
+- Added a `Subscription` property to `AzureCliCredentialOptions` to allow specifying the Azure subscription ID or name to use when authenticating with the Azure CLI.
 
 ### Breaking Changes
 

sdk/identity/Azure.Identity/api/Azure.Identity.net8.0.cs

@@ -65,6 +65,7 @@ public partial class AzureCliCredentialOptions : Azure.Identity.TokenCredentialO
         public AzureCliCredentialOptions() { }
         public System.Collections.Generic.IList<string> AdditionallyAllowedTenants { get { throw null; } }
         public System.TimeSpan? ProcessTimeout { get { throw null; } set { } }
+        public string Subscription { get { throw null; } set { } }
         public string TenantId { get { throw null; } set { } }
     }
     public partial class AzureDeveloperCliCredential : Azure.Core.TokenCredential

sdk/identity/Azure.Identity/api/Azure.Identity.netstandard2.0.cs

@@ -63,6 +63,7 @@ public partial class AzureCliCredentialOptions : Azure.Identity.TokenCredentialO
         public AzureCliCredentialOptions() { }
         public System.Collections.Generic.IList<string> AdditionallyAllowedTenants { get { throw null; } }
         public System.TimeSpan? ProcessTimeout { get { throw null; } set { } }
+        public string Subscription { get { throw null; } set { } }
         public string TenantId { get { throw null; } set { } }
     }
     public partial class AzureDeveloperCliCredential : Azure.Core.TokenCredential

sdk/identity/Azure.Identity/src/Credentials/AzureCliCredential.cs

@@ -48,6 +48,7 @@ public class AzureCliCredential : TokenCredential
         private readonly bool _logPII;
         private readonly bool _logAccountDetails;
         internal string TenantId { get; }
+        internal string Subscription { get; }
         internal string[] AdditionallyAllowedTenantIds { get; }
         internal bool _isChainedCredential;
         internal TenantIdResolverBase TenantIdResolver { get; }
@@ -75,6 +76,7 @@ internal AzureCliCredential(CredentialPipeline pipeline, IProcessService process
             _path = !string.IsNullOrEmpty(EnvironmentVariables.Path) ? EnvironmentVariables.Path : DefaultPath;
             _processService = processService ?? ProcessService.Default;
             TenantId = Validations.ValidateTenantId(options?.TenantId, $"{nameof(options)}.{nameof(options.TenantId)}", true);
+            Subscription = options?.Subscription;
             TenantIdResolver = options?.TenantIdResolver ?? TenantIdResolverBase.Default;
             AdditionallyAllowedTenantIds = TenantIdResolver.ResolveAddionallyAllowedTenantIds((options as ISupportsAdditionallyAllowedTenants)?.AdditionallyAllowedTenants);
             ProcessTimeout = options?.ProcessTimeout ?? TimeSpan.FromSeconds(13);
@@ -128,7 +130,7 @@ private async ValueTask<AccessToken> RequestCliAccessTokenAsync(bool async, Toke
             Validations.ValidateTenantId(tenantId, nameof(context.TenantId), true);
             ScopeUtilities.ValidateScope(resource);
 
-            GetFileNameAndArguments(resource, tenantId, out string fileName, out string argument);
+            GetFileNameAndArguments(resource, tenantId, Subscription, out string fileName, out string argument);
             ProcessStartInfo processStartInfo = GetAzureCliProcessStartInfo(fileName, argument);
             using var processRunner = new ProcessRunner(_processService.Create(processStartInfo), ProcessTimeout, _logPII, cancellationToken);
 
@@ -209,14 +211,19 @@ private ProcessStartInfo GetAzureCliProcessStartInfo(string fileName, string arg
                 Environment = { { "PATH", _path } }
             };
 
-        private static void GetFileNameAndArguments(string resource, string tenantId, out string fileName, out string argument)
+        private static void GetFileNameAndArguments(string resource, string tenantId, string subscriptionId, out string fileName, out string argument)
         {
             string command = tenantId switch
             {
                 null => $"az account get-access-token --output json --resource {resource}",
                 _ => $"az account get-access-token --output json --resource {resource} --tenant {tenantId}"
             };
 
+            if (!string.IsNullOrEmpty(subscriptionId))
+            {
+                command += $" --subscription \"{subscriptionId}\"";
+            }
+
             if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
             {
                 fileName = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "cmd.exe");

sdk/identity/Azure.Identity/src/Credentials/AzureCliCredentialOptions.cs

@@ -11,6 +11,8 @@ namespace Azure.Identity
     /// </summary>
     public class AzureCliCredentialOptions : TokenCredentialOptions, ISupportsAdditionallyAllowedTenants
     {
+        private string _subscription;
+
         /// <summary>
         /// The ID of the tenant to which the credential will authenticate by default. If not specified, the credential will authenticate to any requested tenant, and will default to the tenant provided to the 'az login' command.
         /// </summary>
@@ -27,5 +29,22 @@ public class AzureCliCredentialOptions : TokenCredentialOptions, ISupportsAdditi
         /// The Cli process timeout.
         /// </summary>
         public TimeSpan? ProcessTimeout { get; set; }
+
+        /// <summary>
+        /// The subscription name or Id to use for authentication. This equates to the --subscription parameter in the Azure CLI.
+        /// </summary>
+        public string Subscription
+        {
+            get => _subscription;
+            set
+            {
+                if (!Validations.IsValidateSubscriptionNameOrId(value))
+                {
+                    throw new ArgumentException("The provided subscription contains invalid characters. If this is the name of a subscription, use its ID instead.");
+                }
+
+                _subscription = value;
+            }
+        }
     }
 }

sdk/identity/Azure.Identity/src/Validations.cs

@@ -57,6 +57,27 @@ public static Uri ValidateAuthorityHost(Uri authorityHost)
             return authorityHost;
         }
 
+        public static bool IsValidateSubscriptionNameOrId(string subscription)
+        {
+            if (string.IsNullOrEmpty(subscription))
+            {
+                return false;
+            }
+            foreach (char c in subscription)
+            {
+                if (!IsValidateSubscriptionNameOrIdCharacter(c))
+                {
+                    return false;
+                }
+            }
+            return true;
+        }
+
+        private static bool IsValidateSubscriptionNameOrIdCharacter(char c)
+        {
+            return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || (c == ' ') || (c == '-') || (c == '_');
+        }
+
         private static bool IsValidTenantCharacter(char c)
         {
             return (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') || (c >= '0' && c <= '9') || (c == '.') || (c == '-');

sdk/identity/Azure.Identity/tests/AzureCliCredentialTests.cs

@@ -45,11 +45,16 @@ public override TokenCredential GetTokenCredential(CommonCredentialTestConfig co
         [Test]
         public async Task AuthenticateWithCliCredential(
             [Values(null, TenantIdHint)] string tenantId,
+            [Values(null, "1a7eed92-726e-46c0-b21d-a3db74b3b58c", "My Subscription Name -_")] string subscription,
             [Values(true)] bool allowMultiTenantAuthentication,
             [Values(null, TenantId)] string explicitTenantId)
         {
-            var context = new TokenRequestContext(new[] { Scope }, tenantId: tenantId);
+            var context = new TokenRequestContext([Scope], tenantId: tenantId);
             var options = new AzureCliCredentialOptions { TenantId = explicitTenantId, AdditionallyAllowedTenants = { TenantIdHint } };
+            if (subscription != null)
+            {
+                options.Subscription = subscription;
+            }
             string expectedTenantId = TenantIdResolverBase.Default.Resolve(explicitTenantId, context, TenantIdResolverBase.AllTenants);
             var (expectedToken, expectedExpiresOn, processOutput) = CredentialTestHelpers.CreateTokenForAzureCli();
 
@@ -70,6 +75,23 @@ public async Task AuthenticateWithCliCredential(
             {
                 Assert.That(testProcess.StartInfo.Arguments, Does.Not.Contain("-tenant"));
             }
+
+            if (subscription != null)
+            {
+                Assert.That(testProcess.StartInfo.Arguments, Does.Contain($"--subscription \"{subscription}\""));
+            }
+            else
+            {
+                Assert.That(testProcess.StartInfo.Arguments, Does.Not.Contain("--subscription"));
+            }
+        }
+
+        [Test]
+        public void AzureCliCredentialOptionsValidatesSubscriptionOption()
+        {
+            Assert.Throws<ArgumentException>(() => new AzureCliCredentialOptions { Subscription = "My Subscription Name with a quote \"" });
+            new AzureCliCredentialOptions { Subscription = "My Subscription Name -_" };
+            new AzureCliCredentialOptions { Subscription = Guid.NewGuid().ToString() };
         }
 
         [Test]