search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.92k stars 2.89k forks source link

Support specifying a cert thumbprint on Windows #29324

Open VladimirKhvostov opened 2 weeks ago

VladimirKhvostov commented 2 weeks ago

Hello, I wanted to switch from the Azure PowerShell to Az cli, because packer supports use_azure_cli_auth. Tested locally - things look great. I started to updated a release pipeline and ran into an issue:

az login --service-principal requires a pem file on Windows. My expectation was that I will be able able to pass certificate thumbprint on Windows, similar to https://learn.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-12.0.0#example-7-connect-using-certificates

Unfortunatelly, the following example is not very useful: https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-3#convert-an-existing-pkcs12-file

Are there plans to support specifying a cert thumbprint on Windows? Thanks, --Vladimir

yonzhan commented 2 weeks ago

Thank you for opening this issue, we will look into it.

jiasli commented 2 weeks ago

Unfortunatelly, the following example is not very useful: https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-3#convert-an-existing-pkcs12-file

Could you explain why this example is not helpful?

Supporting PFX in az login is tracked by https://github.com/Azure/azure-cli/issues/20465.

jiasli commented 2 weeks ago

Unfortunatelly, the following example is not very useful: https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-3#convert-an-existing-pkcs12-file

Could you explain why this example is not helpful?

Supporting PFX certificate in az login is tracked by https://github.com/Azure/azure-cli/issues/20465.

VladimirKhvostov commented 2 days ago

@jiasli, It is great that we have #20465 to track the issue. Supporting PFX cert would be helpful for Windows users, but ideally az cli should support certificate thumbprint. Certificates in the Windows certificate store can non-exportable, which would block creating pfx.

20465 was created almost 3 years.

https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-3#convert-an-existing-pkcs12-file is not helpful for Windows users. Consider the following scenario: A customer needs to use a certificate from the Windows certificate store in the az login command.

Thanks, --Vladimir

jiasli commented 1 day ago

Supporting reading certificate from Windows certificate store depends on MSAL's implementation: https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/685.

However, this would require calling Win32 API. For Python, this may not be as easy as reading from a PEM/PFX file. Azure PowerShell cmdlet Connect-AzAccount is based on .NET, so it has a better integration with Windows than Python.