Azure
Az cli in script asks raw.githubusercontent.com behind private firewall
Describe the bug
We have a script that utilizes az cli for doing a job in AKS. The AKS cluster itself are behond a firewall for outgoing requests and when we run simple commands like az --version or az login ... it seems like requests towards raw.githubusercontent.com are done. This means that we need to open the firewall for raw.githubusercontent.com which again means that we open the firewall to all the public content on github which can include malware. Is this by design?
Github search on raw.githubusercontent.com in azure-cli github repository:
https://github.com/search?q=repo%3AAzure%2Fazure-cli%20raw.githubusercontent.com&type=code
There is also references to private repositories in the URLs used that seem to be archived and not updated anymore, for example: https://github.com/danielsollondon/azvmimagebuilder
Related command
az -h
az login
az account set --subscription xxxxxxxxxxxxx
az aks get-credentials --resource-group xxxxxxxxxx --name xxxxxxxx --overwrite-existing
Errors
No particular errors in place other than request we don't use that might fail in the background.
Issue script & Debug output
No direct error
Expected behavior
We expect the cli to have the information need in the Cli itself?
Environment Summary
az version
{
"azure-cli": "2.61.0",
"azure-cli-core": "2.61.0",
"azure-cli-telemetry": "1.1.0",
"extensions": {
"account": "0.2.5",
"resource-graph": "2.1.0"
}
}
Additional context
No response
We noticed the same in our environment. Apparently without that access, calls fail (e.g., deploying an Azure Website). And security-wise, it's not something we want to allow, even narrowly in our CI environment
It seems that an auto-upgrade flag exists so changing that flag will avoid the need for the connection.
#https://github.com/Azure/azure-cli/blob/fa58af5a8c8bd382f77bcb50e2cc3def5b3f1d2c/src/azure-cli/azure/cli/main.py#L65
