diff --git a/src/azure-cli-core/azure/cli/core/_profile.py b/src/azure-cli-core/azure/cli/core/_profile.py index cd977628510..f77fdf7fba9 100644 --- a/src/azure-cli-core/azure/cli/core/_profile.py +++ b/src/azure-cli-core/azure/cli/core/_profile.py @@ -220,27 +220,24 @@ def login(self, self._set_subscriptions(consolidated) return deepcopy(consolidated) - def login_with_managed_identity(self, identity_id=None, client_id=None, object_id=None, resource_id=None, + def login_with_managed_identity(self, client_id=None, object_id=None, resource_id=None, allow_no_subscriptions=None): if _use_msal_managed_identity(self.cli_ctx): - if identity_id: - raise CLIError('--username is not supported by MSAL managed identity. ' - 'Use --client-id, --object-id or --resource-id instead.') return self.login_with_managed_identity_msal( client_id=client_id, object_id=object_id, resource_id=resource_id, allow_no_subscriptions=allow_no_subscriptions) import jwt - from azure.mgmt.core.tools import is_valid_resource_id from azure.cli.core.auth.adal_authentication import MSIAuthenticationWrapper resource = self.cli_ctx.cloud.endpoints.active_directory_resource_id - id_arg_count = len([arg for arg in (client_id, object_id, resource_id, identity_id) if arg]) + id_arg_count = len([arg for arg in (client_id, object_id, resource_id) if arg]) if id_arg_count > 1: - raise CLIError('Usage error: Provide only one of --client-id, --object-id, --resource-id, or --username.') + raise CLIError('Usage error: Provide only one of --client-id, --object-id, --resource-id.') if id_arg_count == 0: identity_type = MsiAccountTypes.system_assigned + identity_id = None msi_creds = MSIAuthenticationWrapper(resource=resource) elif client_id: identity_type = MsiAccountTypes.user_assigned_client_id @@ -254,37 +251,6 @@ def login_with_managed_identity(self, identity_id=None, client_id=None, object_i identity_type = MsiAccountTypes.user_assigned_resource_id identity_id = resource_id msi_creds = MSIAuthenticationWrapper(resource=resource, msi_res_id=resource_id) - # The old way of re-using the same --username for 3 types of ID - elif identity_id: - if is_valid_resource_id(identity_id): - msi_creds = MSIAuthenticationWrapper(resource=resource, msi_res_id=identity_id) - identity_type = MsiAccountTypes.user_assigned_resource_id - else: - authenticated = False - from azure.cli.core.azclierror import AzureResponseError - try: - msi_creds = MSIAuthenticationWrapper(resource=resource, client_id=identity_id) - identity_type = MsiAccountTypes.user_assigned_client_id - authenticated = True - except AzureResponseError as ex: - if 'http error: 400, reason: Bad Request' in ex.error_msg: - logger.info('Sniff: not an MSI client id') - else: - raise - - if not authenticated: - try: - identity_type = MsiAccountTypes.user_assigned_object_id - msi_creds = MSIAuthenticationWrapper(resource=resource, object_id=identity_id) - authenticated = True - except AzureResponseError as ex: - if 'http error: 400, reason: Bad Request' in ex.error_msg: - logger.info('Sniff: not an MSI object id') - else: - raise - - if not authenticated: - raise CLIError('Failed to connect to MSI, check your managed service identity id.') token_entry = msi_creds.token token = token_entry['access_token'] diff --git a/src/azure-cli-core/azure/cli/core/tests/test_profile.py b/src/azure-cli-core/azure/cli/core/tests/test_profile.py index 710238c35c3..de89171abba 100644 --- a/src/azure-cli-core/azure/cli/core/tests/test_profile.py +++ b/src/azure-cli-core/azure/cli/core/tests/test_profile.py @@ -636,19 +636,6 @@ def test_login_with_mi_user_assigned_client_id(self, create_subscription_client_ self.assertEqual(s['user']['type'], 'servicePrincipal') self.assertEqual(s['user']['assignedIdentityInfo'], 'MSIClient-{}'.format(test_client_id)) - # Old way of using identity_id - subscriptions = profile.login_with_managed_identity(identity_id=test_client_id) - - self.assertEqual(len(subscriptions), 1) - s = subscriptions[0] - self.assertEqual(s['name'], self.display_name1) - self.assertEqual(s['id'], self.id1.split('/')[-1]) - self.assertEqual(s['tenantId'], self.test_mi_tenant) - - self.assertEqual(s['user']['name'], 'userAssignedIdentity') - self.assertEqual(s['user']['type'], 'servicePrincipal') - self.assertEqual(s['user']['assignedIdentityInfo'], 'MSIClient-{}'.format(test_client_id)) - @mock.patch('azure.cli.core.auth.adal_authentication.MSIAuthenticationWrapper', autospec=True) @mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True) def test_login_with_mi_user_assigned_object_id(self, create_subscription_client_mock, @@ -689,14 +676,6 @@ def set_token(self): self.assertEqual(s['user']['type'], 'servicePrincipal') self.assertEqual(s['user']['assignedIdentityInfo'], 'MSIObject-{}'.format(test_object_id)) - # Old way of using identity_id - subscriptions = profile.login_with_managed_identity(identity_id=test_object_id) - - s = subscriptions[0] - self.assertEqual(s['user']['name'], 'userAssignedIdentity') - self.assertEqual(s['user']['type'], 'servicePrincipal') - self.assertEqual(s['user']['assignedIdentityInfo'], 'MSIObject-{}'.format(test_object_id)) - @mock.patch('requests.get', autospec=True) @mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True) def test_login_with_mi_user_assigned_resource_id(self, create_subscription_client_mock, @@ -730,14 +709,6 @@ def test_login_with_mi_user_assigned_resource_id(self, create_subscription_clien self.assertEqual(s['user']['type'], 'servicePrincipal') self.assertEqual(subscriptions[0]['user']['assignedIdentityInfo'], 'MSIResource-{}'.format(test_res_id)) - # Old way of using identity_id - subscriptions = profile.login_with_managed_identity(identity_id=test_res_id) - - s = subscriptions[0] - self.assertEqual(s['user']['name'], 'userAssignedIdentity') - self.assertEqual(s['user']['type'], 'servicePrincipal') - self.assertEqual(subscriptions[0]['user']['assignedIdentityInfo'], 'MSIResource-{}'.format(test_res_id)) - @mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True) @mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub) @mock.patch.dict('os.environ', {'AZURE_CORE_USE_MSAL_MANAGED_IDENTITY': 'true'}) diff --git a/src/azure-cli/azure/cli/command_modules/profile/__init__.py b/src/azure-cli/azure/cli/command_modules/profile/__init__.py index abbf17ac342..0ffabbf3515 100644 --- a/src/azure-cli/azure/cli/command_modules/profile/__init__.py +++ b/src/azure-cli/azure/cli/command_modules/profile/__init__.py @@ -45,7 +45,7 @@ def load_arguments(self, command): with self.argument_context('login') as c: c.argument('username', options_list=['--username', '-u'], - help='User name, service principal client ID, or managed identity ID.') + help='User name or service principal client ID.') c.argument('password', options_list=['--password', '-p'], help='User password or service principal secret. Will prompt if not given.') c.argument('tenant', options_list=['--tenant', '-t'], validator=validate_tenant, diff --git a/src/azure-cli/azure/cli/command_modules/profile/custom.py b/src/azure-cli/azure/cli/command_modules/profile/custom.py index 4b8382188c5..de9b86f4855 100644 --- a/src/azure-cli/azure/cli/command_modules/profile/custom.py +++ b/src/azure-cli/azure/cli/command_modules/profile/custom.py @@ -147,7 +147,7 @@ def login(cmd, username=None, password=None, tenant=None, scopes=None, allow_no_ from azure.cli.core.breaking_change import print_conditional_breaking_change print_conditional_breaking_change(cmd.cli_ctx, tag='ManagedIdentityUsernameBreakingChange') return profile.login_with_managed_identity( - identity_id=username, client_id=client_id, object_id=object_id, resource_id=resource_id, + client_id=client_id, object_id=object_id, resource_id=resource_id, allow_no_subscriptions=allow_no_subscriptions) if in_cloud_console(): # tell users they might not need login logger.warning(_CLOUD_CONSOLE_LOGIN_WARNING)