def show_subscription(subscription=None, show_auth_for_sdk=None):
import json
profile = Profile()
if not show_auth_for_sdk:
return profile.get_subscription(subscription)
# sdk-auth file should be in json format all the time, hence the print
print(json.dumps(profile.get_sp_auth_info(subscription), indent=2))
def show_subscription(cmd, subscription=None, show_auth_for_sdk=None):
import json
profile = Profile(cli_ctx=cmd.cli_ctx)
if not show_auth_for_sdk:
return profile.get_subscription(subscription)
# sdk-auth file should be in json format all the time, hence the print
print(json.dumps(profile.get_sp_auth_info(subscription), indent=2))
def show_subscription(cmd, subscription=None, show_auth_for_sdk=None):
import json
profile = Profile(cli_ctx=cmd.cli_ctx)
if show_auth_for_sdk:
from azure.cli.command_modules.role.custom import CREDENTIAL_WARNING
logger.warning(CREDENTIAL_WARNING)
# sdk-auth file should be in json format all the time, hence the print
print(json.dumps(profile.get_sp_auth_info(subscription), indent=2))
return
return profile.get_subscription(subscription)
def test_get_auth_info_for_logged_in_service_principal(
self, mock_auth_context):
mock_auth_context.acquire_token_with_client_credentials.return_value = self.token_entry1
mock_arm_client = mock.MagicMock()
mock_arm_client.subscriptions.list.return_value = [self.subscription1]
finder = SubscriptionFinder(lambda _, _2: mock_auth_context, None,
lambda _: mock_arm_client)
storage_mock = {'subscriptions': []}
profile = Profile(storage_mock, use_global_creds_cache=False)
profile._management_resource_uri = 'https://management.core.windows.net/'
profile.find_subscriptions_on_login(False, '1234', 'my-secret', True,
self.tenant_id, False, finder)
# action
extended_info = profile.get_sp_auth_info()
# assert
self.assertEqual(
self.id1.split('/')[-1], extended_info['subscriptionId'])
self.assertEqual('1234', extended_info['clientId'])
self.assertEqual('my-secret', extended_info['clientSecret'])
self.assertEqual('https://login.microsoftonline.com',
extended_info['activeDirectoryEndpointUrl'])
self.assertEqual('https://management.azure.com/',
extended_info['resourceManagerEndpointUrl'])
def create_service_principal_for_rbac(
# pylint:disable=too-many-statements,too-many-locals, too-many-branches
cmd,
name=None,
password=None,
years=None,
create_cert=False,
cert=None,
scopes=None,
role='Contributor',
show_auth_for_sdk=None,
skip_assignment=False,
keyvault=None):
import time
import pytz
graph_client = _graph_client_factory(cmd.cli_ctx)
role_client = _auth_client_factory(cmd.cli_ctx).role_assignments
scopes = scopes or ['/subscriptions/' + role_client.config.subscription_id]
years = years or 1
sp_oid = None
_RETRY_TIMES = 36
app_display_name = None
if name and '://' not in name:
app_display_name = name
name = "http://" + name # normalize be a valid graph service principal name
if name:
query_exp = 'servicePrincipalNames/any(x:x eq \'{}\')'.format(name)
aad_sps = list(graph_client.service_principals.list(filter=query_exp))
if aad_sps:
raise CLIError("'{}' already exists.".format(name))
app_start_date = datetime.datetime.now(pytz.utc)
app_end_date = app_start_date + relativedelta(years=years or 1)
app_display_name = app_display_name or (
'azure-cli-' + app_start_date.strftime('%Y-%m-%d-%H-%M-%S'))
if name is None:
name = 'http://' + app_display_name # just a valid uri, no need to exist
password, public_cert_string, cert_file, cert_start_date, cert_end_date = \
_process_service_principal_creds(cmd.cli_ctx, years, app_start_date, app_end_date, cert, create_cert,
password, keyvault)
app_start_date, app_end_date, cert_start_date, cert_end_date = \
_validate_app_dates(app_start_date, app_end_date, cert_start_date, cert_end_date)
aad_application = create_application(graph_client.applications,
display_name=app_display_name,
homepage='http://' + app_display_name,
identifier_uris=[name],
available_to_other_tenants=False,
password=password,
key_value=public_cert_string,
start_date=app_start_date,
end_date=app_end_date)
# pylint: disable=no-member
app_id = aad_application.app_id
# retry till server replication is done
for l in range(0, _RETRY_TIMES):
try:
aad_sp = _create_service_principal(cmd.cli_ctx,
app_id,
resolve_app=False)
break
except Exception as ex: # pylint: disable=broad-except
if l < _RETRY_TIMES and (' does not reference ' in str(ex)
or ' does not exist ' in str(ex)):
time.sleep(5)
logger.warning('Retrying service principal creation: %s/%s',
l + 1, _RETRY_TIMES)
else:
logger.warning(
"Creating service principal failed for appid '%s'. Trace followed:\n%s",
name,
ex.response.headers if hasattr(ex, 'response') else ex) # pylint: disable=no-member
raise
sp_oid = aad_sp.object_id
# retry while server replication is done
if not skip_assignment:
for scope in scopes:
for l in range(0, _RETRY_TIMES):
try:
_create_role_assignment(cmd.cli_ctx,
role,
sp_oid,
None,
scope,
resolve_assignee=False)
break
except Exception as ex:
if l < _RETRY_TIMES and ' does not exist in the directory ' in str(
ex):
time.sleep(5)
logger.warning(
'Retrying role assignment creation: %s/%s', l + 1,
_RETRY_TIMES)
continue
else:
# dump out history for diagnoses
logger.warning('Role assignment creation failed.\n')
if getattr(ex, 'response', None) is not None:
logger.warning(
'role assignment response headers: %s\n',
ex.response.headers) # pylint: disable=no-member
raise
if show_auth_for_sdk:
import json
from azure.cli.core._profile import Profile
profile = Profile(cli_ctx=cmd.cli_ctx)
result = profile.get_sp_auth_info(
scopes[0].split('/')[2] if scopes else None, app_id, password,
cert_file)
# sdk-auth file should be in json format all the time, hence the print
print(json.dumps(result, indent=2))
return
result = {
'appId': app_id,
'password': password,
'name': name,
'displayName': app_display_name,
'tenant': graph_client.config.tenant_id
}
if cert_file:
logger.warning(
"Please copy %s to a safe place. When run 'az login' provide the file path to the --password argument",
cert_file)
result['fileWithCertAndPrivateKey'] = cert_file
return result
def create_service_principal_for_rbac( # pylint:disable=too-many-statements,too-many-locals, too-many-branches, unused-argument, inconsistent-return-statements
cmd, name=None, years=None, create_cert=False, cert=None, scopes=None, role=None,
show_auth_for_sdk=None, skip_assignment=False, keyvault=None):
from azure.cli.command_modules.role.custom import (_graph_client_factory, TZ_UTC, _process_service_principal_creds,
_validate_app_dates, create_application,
_create_service_principal, _create_role_assignment,
_error_caused_by_role_assignment_exists)
if role and not scopes or not role and scopes:
raise ArgumentUsageError("Usage error: To create role assignments, specify both --role and --scopes.")
graph_client = _graph_client_factory(cmd.cli_ctx)
years = years or 1
_RETRY_TIMES = 36
existing_sps = None
if not name:
# No name is provided, create a new one
app_display_name = 'azure-cli-' + datetime.utcnow().strftime('%Y-%m-%d-%H-%M-%S')
else:
app_display_name = name
# patch existing app with the same displayName to make the command idempotent
query_exp = "displayName eq '{}'".format(name)
existing_sps = list(graph_client.service_principals.list(filter=query_exp))
app_start_date = datetime.now(TZ_UTC)
app_end_date = app_start_date + relativedelta(years=years or 1)
password, public_cert_string, cert_file, cert_start_date, cert_end_date = \
_process_service_principal_creds(cmd.cli_ctx, years, app_start_date, app_end_date, cert, create_cert,
None, keyvault)
app_start_date, app_end_date, cert_start_date, cert_end_date = \
_validate_app_dates(app_start_date, app_end_date, cert_start_date, cert_end_date)
aad_application = create_application(cmd,
display_name=app_display_name,
available_to_other_tenants=False,
password=password,
key_value=public_cert_string,
start_date=app_start_date,
end_date=app_end_date,
credential_description='rbac')
# pylint: disable=no-member
app_id = aad_application.app_id
# retry till server replication is done
aad_sp = existing_sps[0] if existing_sps else None
if not aad_sp:
for retry_time in range(0, _RETRY_TIMES):
try:
aad_sp = _create_service_principal(cmd.cli_ctx, app_id, resolve_app=False)
break
except Exception as ex: # pylint: disable=broad-except
err_msg = str(ex)
if retry_time < _RETRY_TIMES and (
' does not reference ' in err_msg or
' does not exist ' in err_msg or
'service principal being created must in the local tenant' in err_msg):
logger.warning("Creating service principal failed with error '%s'. Retrying: %s/%s",
err_msg, retry_time + 1, _RETRY_TIMES)
time.sleep(5)
else:
logger.warning(
"Creating service principal failed for '%s'. Trace followed:\n%s",
app_id, ex.response.headers
if hasattr(ex, 'response') else ex) # pylint: disable=no-member
raise
sp_oid = aad_sp.object_id
if role:
for scope in scopes:
# logger.warning("Creating '%s' role assignment under scope '%s'", role, scope)
# retry till server replication is done
for retry_time in range(0, _RETRY_TIMES):
try:
_create_role_assignment(cmd.cli_ctx, role, sp_oid, None, scope, resolve_assignee=False,
assignee_principal_type='ServicePrincipal')
break
except Exception as ex:
if retry_time < _RETRY_TIMES and ' does not exist in the directory ' in str(ex):
time.sleep(5)
logger.warning(' Retrying role assignment creation: %s/%s', retry_time + 1,
_RETRY_TIMES)
continue
if _error_caused_by_role_assignment_exists(ex):
logger.warning(' Role assignment already exists.\n')
break
# dump out history for diagnoses
logger.warning(' Role assignment creation failed.\n')
if getattr(ex, 'response', None) is not None:
logger.warning(' role assignment response headers: %s\n',
ex.response.headers) # pylint: disable=no-member
raise
if show_auth_for_sdk:
from azure.cli.core._profile import Profile
profile = Profile(cli_ctx=cmd.cli_ctx)
result = profile.get_sp_auth_info(scopes[0].split('/')[2] if scopes else None,
app_id, password, cert_file)
# sdk-auth file should be in json format all the time, hence the print
print(json.dumps(result, indent=2))
return
result = {
'appId': app_id,
'password': password,
'displayName': app_display_name,
'tenant': graph_client.config.tenant_id
}
if cert_file:
logger.warning(
"Please copy %s to a safe place. When you run 'az login', provide the file path in the --password argument",
cert_file)
result['fileWithCertAndPrivateKey'] = cert_file
return result
def create_service_principal_for_rbac(
# pylint:disable=too-many-statements,too-many-locals, too-many-branches
name=None, password=None, years=None,
create_cert=False, cert=None,
scopes=None, role='Contributor',
show_auth_for_sdk=None, skip_assignment=False, keyvault=None):
import time
import pytz
graph_client = _graph_client_factory()
role_client = _auth_client_factory().role_assignments
scopes = scopes or ['/subscriptions/' + role_client.config.subscription_id]
years = years or 1
sp_oid = None
_RETRY_TIMES = 36
app_display_name = None
if name and '://' not in name:
app_display_name = name
name = "http://" + name # normalize be a valid graph service principal name
if name:
query_exp = 'servicePrincipalNames/any(x:x eq \'{}\')'.format(name)
aad_sps = list(graph_client.service_principals.list(filter=query_exp))
if aad_sps:
raise CLIError("'{}' already exists.".format(name))
app_start_date = datetime.datetime.now(pytz.utc)
app_end_date = app_start_date + relativedelta(years=years or 1)
app_display_name = app_display_name or ('azure-cli-' +
app_start_date.strftime('%Y-%m-%d-%H-%M-%S'))
if name is None:
name = 'http://' + app_display_name # just a valid uri, no need to exist
password, public_cert_string, cert_file, cert_start_date, cert_end_date = \
_process_service_principal_creds(years, app_start_date, app_end_date, cert, create_cert,
password, keyvault)
app_start_date, app_end_date, cert_start_date, cert_end_date = \
_validate_app_dates(app_start_date, app_end_date, cert_start_date, cert_end_date)
aad_application = create_application(graph_client.applications,
display_name=app_display_name,
homepage='http://' + app_display_name,
identifier_uris=[name],
available_to_other_tenants=False,
password=password,
key_value=public_cert_string,
start_date=app_start_date,
end_date=app_end_date)
# pylint: disable=no-member
app_id = aad_application.app_id
# retry till server replication is done
for l in range(0, _RETRY_TIMES):
try:
aad_sp = _create_service_principal(app_id, resolve_app=False)
break
except Exception as ex: # pylint: disable=broad-except
if l < _RETRY_TIMES and (
' does not reference ' in str(ex) or ' does not exist ' in str(ex)):
time.sleep(5)
logger.warning('Retrying service principal creation: %s/%s', l + 1, _RETRY_TIMES)
else:
logger.warning(
"Creating service principal failed for appid '%s'. Trace followed:\n%s",
name, ex.response.headers if hasattr(ex,
'response') else ex) # pylint: disable=no-member
raise
sp_oid = aad_sp.object_id
# retry while server replication is done
if not skip_assignment:
for scope in scopes:
for l in range(0, _RETRY_TIMES):
try:
_create_role_assignment(role, sp_oid, None, scope, resolve_assignee=False)
break
except Exception as ex:
if l < _RETRY_TIMES and ' does not exist in the directory ' in str(ex):
time.sleep(5)
logger.warning('Retrying role assignment creation: %s/%s', l + 1,
_RETRY_TIMES)
continue
else:
# dump out history for diagnoses
logger.warning('Role assignment creation failed.\n')
if getattr(ex, 'response', None) is not None:
logger.warning('role assignment response headers: %s\n',
ex.response.headers) # pylint: disable=no-member
raise
if show_auth_for_sdk:
import json
from azure.cli.core._profile import Profile
profile = Profile()
result = profile.get_sp_auth_info(scopes[0].split('/')[2] if scopes else None,
app_id, password, cert_file)
# sdk-auth file should be in json format all the time, hence the print
print(json.dumps(result, indent=2))
return
result = {
'appId': app_id,
'password': password,
'name': name,
'displayName': app_display_name,
'tenant': graph_client.config.tenant_id
}
if cert_file:
logger.warning(
"Please copy %s to a safe place. When run 'az login' provide the file path to the --password argument",
cert_file)
result['fileWithCertAndPrivateKey'] = cert_file
return result
