search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.97k stars 2.95k forks source link

Deprecate `--sdk-auth` of `az ad sp create-for-rbac` #22297

Open jiasli opened 2 years ago

jiasli commented 2 years ago

Related command

az ad sp create-for-rbac

Is your feature request related to a problem? Please describe.

The original designed consumers of the az ad sp create-for-rbac --sdk-auth JSON output - Azure SDKs (Java, Python, etc.) have deprecated the usage of get_client_from_json_dict (https://github.com/Azure/azure-sdk-for-python/issues/15075). Azure CLI should deprecate --sdk-auth as well.

However, we can't immediately take --sdk-auth away because GitHub Action heavily relies on --sdk-auth, even though GitHub Action is not a designed consumer of --sdk-auth (Azure/github#152).

The output of az ad sp create-for-rbac without or with --sdk-auth varies a lot.

Without --sdk-auth:

> az ad sp create-for-rbac

{
  "appId": "21ec2946-231c-480f-86c7-824b215326a4",
  "displayName": "azure-cli-2022-02-07-07-07-00",
  "password": "{redacted_password}",
  "tenant": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a"
}

With --sdk-auth:

> az ad sp create-for-rbac --sdk-auth
{
  "clientId": "21ec2946-231c-480f-86c7-824b215326a4",
  "clientSecret": "{redacted_password}",
  "subscriptionId": "...",
  "tenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}

The root cause leading to this confusion is due to the name inconsistency between Azure AD and Azure SDKs (https://github.com/Azure/azure-cli/pull/19872#issuecomment-1031153690):

Azure AD names Azure SDK names
appId clientId
password clientSecret
tenant/directory tenantId

Describe the solution you'd like

We should either

Additional context

yonzhan commented 2 years ago

Deprecate --sdk-auth

divyabhushan commented 1 year ago

@jiasli Following up with this thread. Can you confirm if --sdk-auth was deprecated or not! The official docs for az ad sp still lists the flag without any deprecation notice.

mildronize commented 12 months ago

I've seen the Azure CLI latest doc has been provide new option --json-auth will be different format than --sdk-auth

From my understanding, they will discontinue for --sdk-auth in the future

dgolja commented 1 month ago

Also crossplane upbound.io Azure provider configuration still relies on --sdk-auth - see