How to use federated credentials outside CLI and Powershell

[lordozb]

We maintain Github action for Synapse. So far we've been using the SPN Secret to generate the bearer token from AAD using the REST API. The ask is to support federated credentials. Based on the documentation, it is recommended to use AzLogin Github action. However, how can this be used with a REST API? Our action uses REST API to deploy artifacts to Synapse instead of using powershell or CLI.

How can we use federated identity + AzLogin action to generate tokens which can be used in the REST API for AuthN and Authz?

[MoChilia]

Hi @lordozb, you can follow this guide to use azure/login with federated credentials. After logging into Azure with azure/login, you can run azure-cli commands by azure/cli action to manage and operate Synapse Workspace by az synapse. If this doesn't meet your request, you can use the Azure REST API with Azure CLI by az rest. For just getting an access token by using Azure CLI or Azure PowerShell, use az account get-access-token with azure/cli or Get-AzAccessToken with azure/powershell.

[lordozb]

Thanks for your response @MoChilia The GitHub action that we maintain is written in typescript. Invoking multiple CLI calls within it to retrieve the token may cause a hit to the performance as that would cause it to start a new process and retrieve it. This is how we currently retrieve the token - https://github.com/Azure/Synapse-workspace-deployment/blob/b566de16bc88c95c22e9995287bdf8bfc81fdc4e/build_and_deploy/utils/service_principal_client_utils.ts#L14

We make a REST API call to AAD to get the token. Is there something similar that AzLogin internally does to get the token?

[MoChilia]

@lordozb, you can call AzureCliCredential().getToken() in your code to retrieve the token for the currently logged-in Azure CLI account.