[Identity] az identity federated-credential: Add subgroup to suppor…

…t managing federated identity credentials of existing user assigned identities (#23681)
Azure · Sep 1, 2022 · ffbcfd0 · ffbcfd0
1 parent 260fda0
commit ffbcfd0
Show file tree

Hide file tree

Showing 7 changed files with 710 additions and 1 deletion.
diff --git a/src/azure-cli/azure/cli/command_modules/identity/_client_factory.py b/src/azure-cli/azure/cli/command_modules/identity/_client_factory.py
@@ -16,3 +16,7 @@ def _msi_user_identities_operations(cli_ctx, _):
 
 def _msi_operations_operations(cli_ctx, _):
     return _msi_client_factory(cli_ctx).operations
+
+
+def _msi_federated_identity_credentials_operations(cli_ctx, _):
+    return _msi_client_factory(cli_ctx).federated_identity_credentials
diff --git a/src/azure-cli/azure/cli/command_modules/identity/_help.py b/src/azure-cli/azure/cli/command_modules/identity/_help.py
@@ -3,6 +3,8 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
+# pylint: disable=line-too-long, too-many-lines
+
 from knack.help_files import helps
 
 helps['identity'] = """
@@ -28,3 +30,53 @@
 type: command
 short-summary: Lists available operations for the Managed Identity provider
 """
+
+helps['identity federated-credential'] = """
+type: group
+short-summary: Manage federated identity credentials under user assigned identities.
+"""
+
+helps['identity federated-credential create'] = """
+type: command
+short-summary: Create a federated identity credential under an existing user assigned identity.
+examples:
+  - name: Create a federated identity credential under a specific user assigned identity.
+    text: |
+        az identity federated-credential create --name myFicName --identity-name myIdentityName --resource-group myResourceGroup --issuer myIssuer --subject mySubject --audiences myAudiences
+"""
+
+helps['identity federated-credential update'] = """
+type: command
+short-summary: Update a federated identity credential under an existing user assigned identity.
+examples:
+  - name: Update a federated identity credential under a specific user assigned identity.
+    text: |
+        az identity federated-credential update --name myFicName --identity-name myIdentityName --resource-group myResourceGroup --issuer myIssuer --subject mySubject --audiences myAudiences
+"""
+
+helps['identity federated-credential delete'] = """
+type: command
+short-summary: Delete a federated identity credential under an existing user assigned identity.
+examples:
+  - name: Delete a federated identity credential under a specific user assigned identity.
+    text: |
+        az identity federated-credential delete --name myFicName --identity-name myIdentityName --resource-group myResourceGroup
+"""
+
+helps['identity federated-credential show'] = """
+type: command
+short-summary: Show a federated identity credential under an existing user assigned identity.
+examples:
+  - name: Show a federated identity credential under a specific user assigned identity.
+    text: |
+        az identity federated-credential show --name myFicName --identity-name myIdentityName --resource-group myResourceGroup
+"""
+
+helps['identity federated-credential list'] = """
+type: command
+short-summary: List all federated identity credentials under an existing user assigned identity.
+examples:
+  - name: List all federated identity credentials under an existing user assigned identity.
+    text: |
+        az identity federated-credential list --identity-name myIdentityName --resource-group myResourceGroup
+"""
diff --git a/src/azure-cli/azure/cli/command_modules/identity/_params.py b/src/azure-cli/azure/cli/command_modules/identity/_params.py
@@ -3,6 +3,7 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
+# pylint: disable=line-too-long, too-many-lines
 from knack.arguments import CLIArgumentType
 
 from azure.cli.core.commands.parameters import get_location_type, tags_type
@@ -20,3 +21,13 @@ def load_arguments(self, _):
     with self.argument_context('identity create') as c:
         c.argument('location', get_location_type(self.cli_ctx), required=False)
         c.argument('tags', tags_type)
+
+    with self.argument_context('identity federated-credential', min_api='2022-01-31-preview') as c:
+        c.argument('federated_credential_name', options_list=('--name', '-n'), help='The name of the federated identity credential resource.')
+        c.argument('identity_name', help='The name of the identity resource.')
+
+    for scope in ['identity federated-credential create', 'identity federated-credential update']:
+        with self.argument_context(scope) as c:
+            c.argument('issuer', help='The openId connect metadata URL of the issuer of the identity provider that Azure AD would use in the token exchange protocol for validating tokens before issuing a token as the user-assigned managed identity.')
+            c.argument('subject', help='The sub value in the token sent to Azure AD for getting the user-assigned managed identity token. The value configured in the federated credential and the one in the incoming token must exactly match for Azure AD to issue the access token.')
+            c.argument('audiences', nargs='+', help='The aud value in the token sent to Azure for getting the user-assigned managed identity token. The value configured in the federated credential and the one in the incoming token must exactly match for Azure to issue the access token.')
diff --git a/src/azure-cli/azure/cli/command_modules/identity/commands.py b/src/azure-cli/azure/cli/command_modules/identity/commands.py
@@ -6,7 +6,8 @@
 
 from azure.cli.core.commands import CliCommandType
 
-from ._client_factory import _msi_user_identities_operations, _msi_operations_operations
+from ._client_factory import _msi_user_identities_operations, _msi_operations_operations, \
+    _msi_federated_identity_credentials_operations
 
 from ._validators import process_msi_namespace
 
@@ -21,6 +22,10 @@ def load_command_table(self, _):
         operations_tmpl='azure.mgmt.msi.operations#Operations.{}',
         client_factory=_msi_operations_operations
     )
+    federated_identity_credentials_sdk = CliCommandType(
+        operations_tmpl='azure.mgmt.msi.operations#FederatedIdentityCredentialsOperations.{}',
+        client_factory=_msi_federated_identity_credentials_operations
+    )
 
     with self.command_group('identity', identity_sdk, client_factory=_msi_user_identities_operations) as g:
         g.custom_command('create', 'create_identity', validator=process_msi_namespace)
@@ -31,3 +36,12 @@ def load_command_table(self, _):
 
     with self.command_group('identity', msi_operations_sdk, client_factory=_msi_operations_operations) as g:
         g.command('list-operations', 'list')
+
+    with self.command_group('identity federated-credential', federated_identity_credentials_sdk,
+                            client_factory=_msi_federated_identity_credentials_operations,
+                            min_api='2022-01-31-preview') as g:
+        g.custom_command('create', 'create_or_update_federated_credential')
+        g.custom_command('update', 'create_or_update_federated_credential')
+        g.custom_show_command('show', 'show_federated_credential')
+        g.custom_command('delete', 'delete_federated_credential', confirmation=True)
+        g.custom_command('list', 'list_federated_credential')
diff --git a/src/azure-cli/azure/cli/command_modules/identity/custom.py b/src/azure-cli/azure/cli/command_modules/identity/custom.py
@@ -3,6 +3,12 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
+from azure.cli.core.profiles import ResourceType
+from azure.cli.core.azclierror import (
+    RequiredArgumentMissingError
+)
+
+
 def list_user_assigned_identities(cmd, resource_group_name=None):
     from azure.cli.command_modules.identity._client_factory import _msi_client_factory
     client = _msi_client_factory(cmd.cli_ctx)
@@ -19,3 +25,33 @@ def create_identity(client, resource_group_name, resource_name, location, tags=N
     return client.create_or_update(resource_group_name=resource_group_name,
                                    resource_name=resource_name,
                                    parameters=parameters)
+
+
+def create_or_update_federated_credential(cmd, client, resource_group_name, identity_name, federated_credential_name,
+                                          issuer=None, subject=None, audiences=None):
+    _default_audiences = ['api://AzureADTokenExchange']
+    audiences = _default_audiences if not audiences else audiences
+    if not issuer or not subject:
+        raise RequiredArgumentMissingError('usage error: please provide both --issuer and --subject parameters')
+
+    FederatedIdentityCredential = cmd.get_models('FederatedIdentityCredential', resource_type=ResourceType.MGMT_MSI,
+                                                 operation_group='federated_identity_credentials')
+    parameters = FederatedIdentityCredential(issuer=issuer, subject=subject, audiences=audiences)
+
+    return client.create_or_update(resource_group_name=resource_group_name, resource_name=identity_name,
+                                   federated_identity_credential_resource_name=federated_credential_name,
+                                   parameters=parameters)
+
+
+def delete_federated_credential(client, resource_group_name, identity_name, federated_credential_name):
+    return client.delete(resource_group_name=resource_group_name, resource_name=identity_name,
+                         federated_identity_credential_resource_name=federated_credential_name)
+
+
+def show_federated_credential(client, resource_group_name, identity_name, federated_credential_name):
+    return client.get(resource_group_name=resource_group_name, resource_name=identity_name,
+                      federated_identity_credential_resource_name=federated_credential_name)
+
+
+def list_federated_credential(client, resource_group_name, identity_name):
+    return client.list(resource_group_name=resource_group_name, resource_name=identity_name)