ScoutSuite icon indicating copy to clipboard operation
ScoutSuite copied to clipboard

Published 20 hours ago verified publisher icon nccgroup

Azure - Authentication failure: The public API of azure-cli-core has been deprecated

Open ShaimaAlhashim opened this issue 2 years ago • 12 comments

Hi , I'm trying to run the ScoutSuite on my Azure subscription but I'm getting the following error:

__main__.py L185: Authentication failure: The public API of azure-cli-core has been deprecated starting 2.21.0, and this method can no longer return a valid credential. If you need to still use this method, you need to install 'azure-cli-core<2.21.0'. You may corrupt data if you use current CLI and old azure-cli-core. See also: https://aka.ms/azsdk/python/identity/migration

To reproduce:

git clone https://github.com/nccgroup/ScoutSuite cd ScoutSuite virtualenv -p python3 venv source venv/bin/activate pip install -r requirements.txt Run the tool pip install azure-cli

login using: az login

Run:

python scout.py azure --cli

ShaimaAlhashim avatar Mar 15 '22 03:03 ShaimaAlhashim

reproduced /w auth portal requiring MFA.

Relkci avatar Mar 15 '22 18:03 Relkci

facing same issue on azure scoutsuite execution!

scout[103000] ERROR __main__.py L185: Authentication failure: The public API of azure-cli-core has been deprecated starting 2.21.0, and this method can no longer return a valid credential. If you need to still use this method, you need to install 'azure-cli-core<2.21.0'. You may corrupt data if you use current CLI and old azure-cli-core. See also: https://aka.ms/azsdk/python/identity/migration

R34LUS3R avatar Mar 16 '22 11:03 R34LUS3R

@Relkci I have two different accounts (one is MFA protected portal and the other one isn't) and I am having this issue on both

R34LUS3R avatar Mar 16 '22 12:03 R34LUS3R

Facing the same issue, does anyone have a fix for this ? :)

hugo-syn avatar Apr 11 '22 10:04 hugo-syn

It seems that the source code used to connect to azure needs to be changed, according to this article

This function from azure-cli-core has been deprecated:

get_azure_cli_credentials(resource=None, with_tenant=False)

Instead, this function from azure-identity should be used:

from azure.identity import AzureCliCredential
from azure.mgmt.compute import ComputeManagementClient
client = ComputeManagementClient(AzureCliCredential(), subscription_id)

I figured out it should be changed in authentication_strategy.py.

lfservin avatar Apr 12 '22 14:04 lfservin

Hello. Can someone paste the authentication_strategy.py updated file which reflects this change? I've looked through this file and do not see where the change that has been mentioned is to take place.

brendan004 avatar Apr 15 '22 17:04 brendan004

I'm still working out that myself.

First thing to change are the imports. from azure.identity import AzureDefaultCredential should replace from azure.common.credentials import ServicePrincipalCredentials, UserPassCredentials, get_azure_cli_credentials

That's the easy part. Now the difficult part is where the different kinds of authentication take place. All that complexity should be theoretically replaced with a call to AzureDefaultCredential. According to documentation:

  • Environment - DefaultAzureCredential will read account information specified via environment variables and use it to authenticate.
  • Managed Identity - if the application is deployed to an Azure host with Managed Identity enabled, DefaultAzureCredential will authenticate with it.
  • Visual Studio Code - if a user has signed in to the Visual Studio Code Azure Account extension, DefaultAzureCredential will authenticate as that user.
  • Azure CLI - if a user has signed in via the Azure CLI az login command, DefaultAzureCredential will authenticate as that user.
  • Azure PowerShell - if a user has signed in via Azure PowerShell's Connect-AzAccount command, DefaultAzureCredential will authenticate as that user.
  • Interactive - if enabled, DefaultAzureCredential will interactively authenticate a user via the default browser. This is disabled by default.

And we're not only authenticating but also determining a few things from the authentication, which we still probably need. Line 114 gets these parameters from the credential: image which means that we need the same info: arm_credentials, subscription_id, tenant_id. I'm still figuring out where to get them from.

I'll make a couple of experiments to see if I get any further.

lfservin avatar Apr 22 '22 16:04 lfservin

Has there been any more progress on this? Is there a work around? Scoutsuite for Azure is rather useless when it can't log in to Azure unless I'm missing something

ejohnson54 avatar May 12 '22 18:05 ejohnson54

Hi,

This has been fixed in the develop branch by updating the authentication libraries and functions to use the new versions.

Changes have not yet made it to master; please give it a try with the develop branch to see if the error persists. Also check the new requirements.txt file which contains updated versions for multiple packages. These will be needed for the upgraded features to work as expected.

fernando-gallego avatar Jun 03 '22 11:06 fernando-gallego

wow. great. I'll give it a try. do you know which branch is it?

lfservin avatar Jun 08 '22 20:06 lfservin

Try with the "develop" branch.

fernando-gallego avatar Jun 09 '22 09:06 fernando-gallego

So I decided just to buy their paid version as I've now come to understand that the command line version does not use the full suite of CIS Benchmarks. I'm guessing the command line version is there to rope us in to buying... which it did me :)

brendan004 avatar Jun 09 '22 15:06 brendan004