def _get_mgmt_service_client(cli_ctx,
client_type,
subscription_bound=True,
subscription_id=None,
api_version=None,
base_url_bound=True,
resource=None,
sdk_profile=None,
aux_subscriptions=None,
aux_tenants=None,
**kwargs):
from azure.cli.core._profile import Profile
from azure.cli.core.util import resource_to_scopes
logger.debug('Getting management service client client_type=%s',
client_type.__name__)
resource = resource or cli_ctx.cloud.endpoints.active_directory_resource_id
profile = Profile(cli_ctx=cli_ctx)
cred, subscription_id, _ = profile.get_login_credentials(
subscription_id=subscription_id,
resource=resource,
aux_subscriptions=aux_subscriptions,
aux_tenants=aux_tenants)
client_kwargs = {}
if base_url_bound:
client_kwargs = {'base_url': cli_ctx.cloud.endpoints.resource_manager}
if api_version:
client_kwargs['api_version'] = api_version
if sdk_profile:
client_kwargs['profile'] = sdk_profile
if kwargs:
client_kwargs.update(kwargs)
if is_track2(client_type):
client_kwargs.update(_prepare_client_kwargs_track2(cli_ctx))
client_kwargs['credential_scopes'] = resource_to_scopes(resource)
# Track 2 currently lacks the ability to take external credentials.
# https://github.com/Azure/azure-sdk-for-python/issues/8313
# As a temporary workaround, manually add external tokens to 'x-ms-authorization-auxiliary' header.
# https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/authenticate-multi-tenant
if getattr(cred, "_external_tenant_token_retriever", None):
*_, external_tenant_tokens = cred.get_all_tokens(
*resource_to_scopes(resource))
# Hard-code scheme to 'Bearer' as _BearerTokenCredentialPolicyBase._update_headers does.
client_kwargs['headers']['x-ms-authorization-auxiliary'] = \
', '.join("Bearer {}".format(t[1]) for t in external_tenant_tokens)
if subscription_bound:
client = client_type(cred, subscription_id, **client_kwargs)
else:
client = client_type(cred, **client_kwargs)
if not is_track2(client):
configure_common_settings(cli_ctx, client)
return client, subscription_id
def _get_mgmt_service_client(cli_ctx,
client_type,
subscription_bound=True,
subscription_id=None,
api_version=None,
base_url_bound=True,
resource=None,
sdk_profile=None,
aux_subscriptions=None,
aux_tenants=None,
**kwargs):
from azure.cli.core._profile import Profile
logger.debug('Getting management service client client_type=%s',
client_type.__name__)
# Track 1 SDK doesn't maintain the `resource`. The `resource` of the token is the one passed to
# get_login_credentials.
resource = resource or cli_ctx.cloud.endpoints.active_directory_resource_id
profile = Profile(cli_ctx=cli_ctx)
cred, subscription_id, _ = profile.get_login_credentials(
subscription_id=subscription_id,
resource=resource,
aux_subscriptions=aux_subscriptions,
aux_tenants=aux_tenants)
client_kwargs = {}
if base_url_bound:
client_kwargs = {'base_url': cli_ctx.cloud.endpoints.resource_manager}
if api_version:
client_kwargs['api_version'] = api_version
if sdk_profile:
client_kwargs['profile'] = sdk_profile
if kwargs:
client_kwargs.update(kwargs)
if is_track2(client_type):
client_kwargs.update(_prepare_mgmt_client_kwargs_track2(cli_ctx, cred))
if subscription_bound:
client = client_type(cred, subscription_id, **client_kwargs)
else:
client = client_type(cred, **client_kwargs)
if not is_track2(client):
configure_common_settings(cli_ctx, client)
return client, subscription_id