Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Profile] BREAKING CHANGE: az account show: Drop --sdk-auth #21219

Merged
merged 2 commits into from
Feb 17, 2022
Merged

[Profile] BREAKING CHANGE: az account show: Drop --sdk-auth #21219

merged 2 commits into from
Feb 17, 2022

Conversation

jiasli
Copy link
Member

@jiasli jiasli commented Feb 8, 2022

Description

#19414 announced the deprecation of --sdk-auth but --sdk-auth was kept during MSAL migration (#19872).

az account show --sdk-auth compromises the security of MSAL's encrypted service principal credential store, as it can "spit out" / echo the original service principal secrets. This is not a secure behavior - consider you can see your password after you login to Windows or https://outlook.live.com/.

However, az ad sp create-for-rbac --sdk-auth is still used by many other services, like GitHub Action (as shown in #19872), it will be kept for now.

@yonzhan
Copy link
Collaborator

yonzhan commented Feb 8, 2022

Profile

@yonzhan yonzhan added this to the Feb 2022 (2022-03-01) milestone Feb 8, 2022
@jiasli jiasli merged commit d331edf into Azure:dev Feb 17, 2022
@jiasli jiasli deleted the sdk-auth branch February 17, 2022 06:33
@jiasli jiasli mentioned this pull request Aug 17, 2022
Merged
@jiasli
Copy link
Member Author

jiasli commented Aug 19, 2022

Workaround

WARNING: Saving credentials to a JSON file is considered insecure. Azure Python SDK has also deprecated the usage of JSON file credential. Please see Guide for migrating to azure-identity from azure-common for more details.

If you currently have workflows that utilizes the JSON output of az account show --sdk-auth that can't be migrated immediately, you may manually fill in the below JSON with required information to get the original output of az account show --sdk-auth:

{
  "clientId": "...",
  "clientSecret": "...",
  "subscriptionId": "...",
  "tenantId": "...",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}

If you forget the client secret/password, you may use az ad app/sp credential reset to reset the credential of the application/service principal.

@jiasli jiasli mentioned this pull request Aug 19, 2022
Closed
@joergjo joergjo mentioned this pull request Sep 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evelyn-ys evelyn-ys evelyn-ys approved these changes

@calvinhzy calvinhzy calvinhzy approved these changes

@chasewilson chasewilson chasewilson approved these changes

@yonzhan yonzhan yonzhan approved these changes

@dbradish-microsoft dbradish-microsoft Awaiting requested review from dbradish-microsoft

@jsntcy jsntcy Awaiting requested review from jsntcy jsntcy is a code owner

@kairu-ms kairu-ms Awaiting requested review from kairu-ms kairu-ms is a code owner

@zhoxing-ms zhoxing-ms Awaiting requested review from zhoxing-ms zhoxing-ms is a code owner

Assignees

@jiasli jiasli

Labels
None yet
Projects
None yet
Milestone
Feb 2022 (2022-03-01)
Development

Successfully merging this pull request may close these issues.
5 participants
@jiasli @yonzhan @evelyn-ys @calvinhzy @chasewilson