-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
{Profile} az account get-access-token
: Show expiresOn
for managed identity
#20219
Changes from 2 commits
bfaacc2
5859d97
71d161e
141ab62
f65d76a
4cf877e
173d469
7aa714e
eae0254
f0746f0
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
@@ -361,37 +361,41 @@ def get_raw_token(self, resource=None, scopes=None, subscription=None, tenant=No | |||||||||
raise CLIError("Please specify only one of subscription and tenant, not both") | ||||||||||
|
||||||||||
account = self.get_subscription(subscription) | ||||||||||
resource = resource or self.cli_ctx.cloud.endpoints.active_directory_resource_id | ||||||||||
|
||||||||||
# This is not used anyway, just a placeholder | ||||||||||
mi_resoure = self.cli_ctx.cloud.endpoints.active_directory_resource_id | ||||||||||
|
||||||||||
identity_type, identity_id = Profile._try_parse_msi_account_name(account) | ||||||||||
if identity_type: | ||||||||||
# MSI | ||||||||||
# managed identity | ||||||||||
if tenant: | ||||||||||
raise CLIError("Tenant shouldn't be specified for MSI account") | ||||||||||
msi_creds = MsiAccountTypes.msi_auth_factory(identity_type, identity_id, resource) | ||||||||||
msi_creds.set_token() | ||||||||||
token_entry = msi_creds.token | ||||||||||
creds = (token_entry['token_type'], token_entry['access_token'], token_entry) | ||||||||||
raise CLIError("Tenant shouldn't be specified for managed identity account") | ||||||||||
msi_creds = MsiAccountTypes.msi_auth_factory(identity_type, identity_id, mi_resoure) | ||||||||||
sdk_token = msi_creds.get_token(*scopes) | ||||||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The old implementation of ADAL-based Azure CLI returns
They are unified later at command module level: azure-cli/src/azure-cli/azure/cli/command_modules/profile/custom.py Lines 82 to 85 in df737ed
We use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Just out of curiosity, will There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. No. |
||||||||||
elif in_cloud_console() and account[_USER_ENTITY].get(_CLOUD_SHELL_ID): | ||||||||||
# Cloud Shell | ||||||||||
if tenant: | ||||||||||
raise CLIError("Tenant shouldn't be specified for Cloud Shell account") | ||||||||||
creds = self._get_token_from_cloud_shell(resource) | ||||||||||
msi_creds = MsiAccountTypes.msi_auth_factory(MsiAccountTypes.system_assigned, identity_id, mi_resoure) | ||||||||||
sdk_token = msi_creds.get_token(*scopes) | ||||||||||
else: | ||||||||||
credential = self._create_credential(account, tenant) | ||||||||||
token = credential.get_token(*scopes) | ||||||||||
sdk_token = credential.get_token(*scopes) | ||||||||||
|
||||||||||
import datetime | ||||||||||
expiresOn = datetime.datetime.fromtimestamp(token.expires_on).strftime("%Y-%m-%d %H:%M:%S.%f") | ||||||||||
# Convert epoch int 'expires_on' to datetime string 'expiresOn' for backward compatibility | ||||||||||
# WARNING: expiresOn is deprecated and will be removed in future release. | ||||||||||
import datetime | ||||||||||
expiresOn = datetime.datetime.fromtimestamp(sdk_token.expires_on).strftime("%Y-%m-%d %H:%M:%S.%f") | ||||||||||
|
||||||||||
token_entry = { | ||||||||||
'accessToken': token.token, | ||||||||||
'expires_on': token.expires_on, | ||||||||||
'expiresOn': expiresOn | ||||||||||
} | ||||||||||
token_entry = { | ||||||||||
'accessToken': sdk_token.token, | ||||||||||
'expires_on': sdk_token.expires_on, # epoch int, like 1605238724 | ||||||||||
'expiresOn': expiresOn # datetime string, like "2020-11-12 13:50:47.114324" | ||||||||||
} | ||||||||||
|
||||||||||
# (tokenType, accessToken, tokenEntry) | ||||||||||
creds = 'Bearer', sdk_token.token, token_entry | ||||||||||
|
||||||||||
# (tokenType, accessToken, tokenEntry) | ||||||||||
creds = 'Bearer', token.token, token_entry | ||||||||||
# (cred, subscription, tenant) | ||||||||||
return (creds, | ||||||||||
None if tenant else str(account[_SUBSCRIPTION_ID]), | ||||||||||
|
@@ -695,13 +699,6 @@ def get_installation_id(self): | |||||||||
self._storage[_INSTALLATION_ID] = installation_id | ||||||||||
return installation_id | ||||||||||
|
||||||||||
def _get_token_from_cloud_shell(self, resource): # pylint: disable=no-self-use | ||||||||||
from azure.cli.core.auth.adal_authentication import MSIAuthenticationWrapper | ||||||||||
auth = MSIAuthenticationWrapper(resource=resource) | ||||||||||
auth.set_token() | ||||||||||
token_entry = auth.token | ||||||||||
return (token_entry['token_type'], token_entry['access_token'], token_entry) | ||||||||||
|
||||||||||
|
||||||||||
class MsiAccountTypes: | ||||||||||
# pylint: disable=no-method-argument,no-self-argument | ||||||||||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -78,7 +78,7 @@ def get_access_token(cmd, subscription=None, resource=None, scopes=None, resourc | |
'tokenType': creds[0], | ||
'accessToken': creds[1], | ||
# 'expires_on': creds[2].get('expires_on', None), | ||
'expiresOn': creds[2].get('expiresOn', None), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why do you need to change this line? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We need to guarantee that |
||
'expiresOn': creds[2]['expiresOn'], | ||
'tenant': tenant | ||
} | ||
if subscription: | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we use a specific error type (such as
ArgumentUsageError
) instead ofCLIError
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are so many places in core that don't comply with the error handling rule. Let's refine them together later.