az-pim-cli icon indicating copy to clipboard operation
az-pim-cli copied to clipboard
Published 1 month ago verified publisher icon netr0m

Quick & dirt script to automatically get the PIM_TOKEN

Open adrianlzt opened this issue 8 months ago • 6 comments

Go script that connected to Chrome using the remote debug port (chrome needs to be started with that port exposed), navigate to the Azure portal and then extracts the PIM token.

With that token, calls az-pim-cli to list the groups and to activate one.

main.go.txt

adrianlzt avatar Apr 24 '25 12:04 adrianlzt

pim_token.txt

Hey man, great script :) I improved it even more:

  • it is now a wrapper to az-pim-cli if you provide extra params - eg. pim-token list groups or activate group ... etc
  • if you don't provide any params it'll just give you the command to export the token as variable to your shell so you can use with az-pim-cli separately
  • it will store the token in a local file with perm 0600 and reuse it if it is still valid to save time not opening any browser
  • But if it does need a browser, it will wait for the browser to complete any MFA auth before trying to find the secret in session storage

ryan-grenz-evelyn avatar May 16 '25 10:05 ryan-grenz-evelyn

Thanks @ryan-grenz-evelyn. Yours is much better!

Chrome made a change recently, version 136, making mandayory to use a different --user-data-dir to enable remote debugging.

adrianlzt avatar May 22 '25 07:05 adrianlzt

Thanks @ryan-grenz-evelyn. Yours is much better!

Chrome made a change recently, version 136, making mandayory to use a different --user-data-dir to enable remote debugging.

Thanks @adrianlzt :) And yes thats a good point. Another thing to mention, on a corporate Windows desktop (no adminstrator permissions) when using the script inside WSL2, I could only make this work in Windows 11 using mirror mode networking : https://learn.microsoft.com/en-us/windows/wsl/networking#mirrored-mode-networking because Chrome seems to only allow debug port connections from 127.0.0.1 in the Windows environment itself (couldn't get it to work through NAT in WSL2 without needing Windows admin privileges)

ryan-grenz-evelyn avatar May 23 '25 08:05 ryan-grenz-evelyn

Is there a proper way to generate this access token with AZ CLI? (i.e. az account get-access-token)

I've attempted with the generated access token but encountering a RoleAssignmentRequestAcrsValidationFailed.

jeraldlyh avatar Sep 10 '25 07:09 jeraldlyh

Have you found a proper solution @jeraldlyh ?

molinch avatar Oct 09 '25 16:10 molinch

Not yet, haven't got the time to look into this. Will update when I figured it out. @molinch

jeraldlyh avatar Oct 11 '25 13:10 jeraldlyh