yonzhan
commented
3 years ago A good proposal to share login context across client tools
Open jiasli opened 3 years ago
yonzhan
commented
3 years ago A good proposal to share login context across client tools
cblackuk
commented
3 years ago What a great idea! Where do I vote for this? :-)
jiasli
commented
3 years ago Thank you @cblackuk for the comment. You may simply vote on the issue description with a 👍 and our team will evaluate this proposal based on the vote count! 😊
cblackuk
commented
3 years ago Awesome! Thanks :-) Now to everyone else - VOTE people! You will thank us later :-D
yobyot
commented
3 years ago I appreciate that the team is asking for input. And don’t get me wrong: this isn’t a terrible idea. But there are so many other things the cmdlets need more, like expanded, comprehensive, more useable documentation.
This strikes me as the solution to some Microsoft developer’s being inconvenienced rather than a pain the everyday Az module user in an enterprise is facing.
guidooliveira
commented
3 years ago +1 on that! great idea!
EwertonJordao
commented
3 years ago +1 :D.
rayterrill
commented
2 years ago +1 coming from AWS this has been quite confusing
jiasli
commented
1 year ago After dropping Azure Identity and integrating with MSAL, Azure CLI doesn't save token cache to C:\Users\<username>\AppData\Local\.IdentityService\msal.cache. Instead, Azure CLI uses its own msal_token_cache.bin and service_principal_entries.bin as explained in https://github.com/Azure/azure-cli/pull/19853#issuecomment-984440373.
so we get shared
msal.cacheout of the box.
This is no longer true and sharing token cache now becomes another challenge.
segraef
commented
3 months ago After dropping Azure Identity and integrating with MSAL, Azure CLI doesn't save token cache to
C:\Users\<username>\AppData\Local\.IdentityService\msal.cache. Instead, Azure CLI uses its ownmsal_token_cache.binandservice_principal_entries.binas explained in #19853 (comment).so we get shared
msal.cacheout of the box.This is no longer true and sharing token cache now becomes another challenge.
@jiasli, coming back to this, do we have any updates or workarounds in this regards?
A fantastic use case is for instance running az cli commands within an already authenticated Azure PowerShell session to enable seamless context sharing.
The only workaround I'm thinking about is using Azure REST leveraging Get-AzAccessToken or going the other way around az login > az account get-access-token > Connect-AzAccount
using
-AccessToken.
Is your feature request related to a problem? Please describe.
Sharing login context between Azure CLI and Azure PowerShell is not supported by now.
Describe the solution you'd like
Azure CLI and Azure PowerShell can share their login context so that users can choose to use either command:
az loginConnect-AzAccountaz account setSet-AzContextAdditional context
To share login context, Azure CLI and Azure PowerShell must share 2 things:
azureProfile.jsonAzureRmContext.jsonaccessTokens.jsonTokenCache.datFor token cache, once both migrate to MSAL,
TokenCache.datandaccessTokens.jsonwill be merged intoso we get shared
msal.cacheout of the box.But for
AzureRmContext.jsonandazureProfile.json, it is very hard for Azure CLI to useAzureRmContext.jsonfrom Azure PowerShell given the internal implementation logic is such different.Also, Azure CLI faces another issue for tenant/user isolation which should also be addressed first before sharing login context with Azure PowerShell: #15005.
If this is really something we need to achieve, drastic overhaul of Azure CLI and Azure PowerShell is necessary.