azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard
verified publisher icon Azure

{Auth} Makes `MSIAuthenticationWrapper` expose `get_auxiliary_tokens`

Open jiasli opened this issue 3 years ago • 1 comments

Description

When command modules such as resource or network call get_login_credentials, it specifies aux_subscriptions or aux_tenants. The returned CredentialAdaptor contains internal credentials for these aux tenants. _prepare_mgmt_client_kwargs_track2 will then call get_auxiliary_tokens to get aux tokens.

However, managed identity is single-tenanted and has no cross-tenant support, so MSIAuthenticationWrapper doesn't expose get_auxiliary_tokens.

In Azure CLI Core, we have logic to prevent calling get_auxiliary_tokens on MSIAuthenticationWrapper:https://github.com/Azure/azure-cli/blob/110f7b402020f3d3ebd2bfb923ac5a01d026cdd1/src/azure-cli-core/azure/cli/core/commands/client_factory.py#L184

AAZBearerTokenCredentialPolicy assumes get_auxiliary_tokens is available for all credentials and doesn't check if get_auxiliary_tokens exists first:

https://github.com/Azure/azure-cli/blob/0183af7b5df0796c965c87d4bd158aad11bc1460/src/azure-cli-core/azure/cli/core/aaz/_http_policy.py#L80-L81

This PR makes MSIAuthenticationWrapper expose get_auxiliary_tokens but returns None to make sure CredentialAdaptor and AAZBearerTokenCredentialPolicy have the same interface.

closed https://github.com/Azure/azure-cli/issues/23493

jiasli avatar Aug 11 '22 09:08 jiasli

Auth

yonzhan avatar Aug 11 '22 10:08 yonzhan