search

Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3k forks source link

az communication email send shouldn't require an accessKey #29975

Open jamesaepp opened 1 month ago

jamesaepp commented 1 month ago

Describe the bug

See the context for all my details, but essentially the operation of the az communication email send command is incredibly inconsistent with MS documentation and is misleading to administrators on how to authenticate to the service when using azcli.

Related command

az communication email send

Errors

The command failed with an unexpected error. Here is the traceback:

Invalid connection string. You can get the connection string from your resource page in the Azure Portal. The format should be as follows: endpoint=https://<ResourceUrl>/;accesskey=<KeyValue>

Issue script & Debug output

The command failed with an unexpected error. Here is the traceback:

Invalid connection string. You can get the connection string from your resource page in the Azure Portal. The format should be as follows: endpoint=https://<ResourceUrl>/;accesskey=<KeyValue>

Traceback (most recent call last):

  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\knack/cli.py", line 233, in invoke

  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 664, in execute

  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 731, in _run_jobs_serially

  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 701, in _run_job

  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/__init__.py", line 334, in __call__

  File "D:\a\_work\1\s\build_scripts\windows\artifacts\cli\Lib\site-packages\azure/cli/core/commands/command_operation.py", line 112, in handler

  File "C:\Users\REDACTED\.azure\cliextensions\communication\azext_communication\manual\_client_factory.py", line 93, in cf_communication_email

    client = EmailClient.from_connection_string(connection_string, **args)

             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  File "C:\Users\REDACTED\.azure\cliextensions\communication\azure\communication\email\_email_client.py", line 78, in from_connection_string

    endpoint, access_key = parse_connection_str(conn_str)

                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

  File "C:\Users\REDACTED\.azure\cliextensions\communication\azure\communication\email\_shared\utils.py", line 46, in parse_connection_str

    raise ValueError(

ValueError: Invalid connection string. You can get the connection string from your resource page in the Azure Portal. The format should be as follows: endpoint=https://<ResourceUrl>/;accesskey=<KeyValue>

To check existing issues, please visit: https://github.com/Azure/azure-cli/issues

Expected behavior

See context.

Environment Summary

I don't have this information on me at present, sorry.

Additional context

This is driving me crazy and I think this is either a bug or it's working as intended and the MS documentation for the service is incredibly misleading, or no one has tested this properly.

I am wanting to use an Azure service principal to send mail with the az cli.

This documentation under the 'Azure CLI' pivot suggests you need to sign in to the Azure CLI.

I know this isn't correct because a connection string with the access key does work without needing to login to az cli. Even still, this is something that I want to do to send emails.

Further though, I do not understand for the LIFE OF ME why the connection string is required with an accesskey. It's antithetical to the principal of least privileged access.

My service principal doesn't need to make voice calls. Or send SMS. Or do teams messaging. It needs to send email. That's it. I don't want to give the service principal the access key to the entire Azure Communication Services resource.

What I really really really want to encourage the MS developers to do is drop the requirement for the accesskey in the connection string. Sure, you need a connection string to understand what endpoint to work with, but you don't always need the access key.

I also find it confusing under this documentation how the connection string isn't considered a required parameter. Technically speaking it isn't as there's an environment variable, but this is documentation intended to be read by humans. Educating the human audience on "hey you at least need this parameter OR an envvar" is exactly what should show up under the Required Parameters section.

yonzhan commented 1 month ago

Thank you for opening this issue, we will look into it.

microsoft-github-policy-service[bot] commented 1 month ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @acsdevx-msft.

jamesaepp commented 1 month ago

Can Microsoft give any updates on this issue or any approximation of timeline/next steps?

jamesaepp commented 1 month ago

Wondering if anyone from MS has reviewed the details of this issue?

jamesaepp commented 3 weeks ago

Is anyone from MS going to look at this issue? The lack of reaction to this makes me seriously reconsider using and recommending ACS for Email if first-party applications don't get attention.