Support for Azure account with multiple tenants

docker-archive / cloud-integration-beta

Docker CLI with ACI integration (beta)

https://www.docker.com

32 stars 14 forks source link

Support for Azure account with multiple tenants #8

Closed josephpage closed 4 years ago

josephpage commented 4 years ago

Context

My Azure account have 2 tenants :

the corporate and main one, used only for AD, with no subscription
my team's tenant, with multiple subscriptions

$ docker version
Client: Docker Engine - Community
 Azure integration  0.1.4
 Version:           19.03.12
 API version:       1.40
 Go version:        go1.13.10
 Git commit:        48a66213fe
 Built:             Mon Jun 22 15:41:33 2020
 OS/Arch:           darwin/amd64
 Experimental:      true

Issue

The docker context create aci command seems to use only the first one, and I have not found a option to change it :

$ docker context create aci azure
no subscriptions found

Proposition

When using the az account list, there is homeTenantId property, this is what I want to be able to configure

$ docker login azure --tenant-id <tenant-id>
# or
docker context create aci azure --tenant-id <tenant-id>

Alternative proposition

The docker client should iterate over all account's tenants when searching for subscriptions, as the az client does.

karolz-ms commented 4 years ago

If subscription is passed using --subscription-id parameter, will the AAD tenant associated with this subscription be automatically picked up?

amd989 commented 4 years ago

@karolz-ms I tried passing the --subscription-id parameter and got this (formatted for clarity):

PS C:\> docker context create aci test --subscription-id xxxxxx-xxxxxx-xxxxxxx-xxxxxx
resources.GroupsClient#List: Failure responding to request: 
StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 
Code="InvalidAuthenticationTokenTenant" 
Message="The access token is from the wrong issuer 'https://sts.windows.net/xxxxxx-xxxxxx-xxxxxxx-xxxxxx/'. It must match one of the tenants 'https://sts.windows.net/xxxxxx-xxxxxx-xxxxxxx-xxxxxx1/,https://sts.windows.net/xxxxxx-xxxxxx-xxxxxxx-xxxxxx2/' associated with this subscription. 
Please use any authority (URL) from 'https://login.windows.net/xxxxxx-xxxxxx-xxxxxxx-xxxxxx1,https://login.windows.net/xxxxxx-xxxxxx-xxxxxxx-xxxxxx2' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."

karolz-ms commented 4 years ago

@amd989 are you able to work around this problem by using --tenant-id flag for docker login azure? This flag is supported in Edge 2.3.3.2 build 46784 or later.

gtardif commented 4 years ago

I'll close this one as you should be able to specify docker login azure --tenant-id xxx. Please reopen if this still does not work

josephpage commented 4 years ago

It works. Thanks !