[Enhancement Proposal] Support "bring your own access token"

[jiasli]

Is your feature request related to a problem? Please describe.

We have received several feature requests that the user would like to provide their own access token, without interacting with AAD.

Azure PowerShell cmdlet Connect-AzAccount supports -AccessToken.

Describe the solution you'd like

1. az login should support either

   • --access-token argument which accepts an access token with Subscriptions - List permission:

     az login --access-token <access_token>
     

   • both --access-token (may not have Subscriptions - List permission) and --subscription which explicitly specifies the default subscription (also see [Enhancement Proposal] Support --subscription in az login #14933):

     az login --access-token <access_token> --subscription <subscription_id>
     

2. Each az command should support a global argument --access-token which can be used together with --subscription to invoke ARM request:

   az group list --access-token <access_token> --subscription <subscription_id>
   

   I previously made a prototype: [Demo] Allow specifying a custom access token jiasli/azure-cli#12

3. Consume an environment variable AZURE_CLI_ACCESS_TOKEN so that all commands can use the same access token:

   export AZURE_CLI_ACCESS_TOKEN=<access_token>
   az group list
   

   Also, since environment variables are preserved in memory, is it much safer than saving the access token to hard disk. Also see Enable authentication via environment variables #10241

[yonzhan]

Enhancement Proposal

[jiasli]

Azure CLI can take advantage of TokenCredential if Azure/azure-sdk#2189 is implemented.

[richeney]

That would be cool. especially if those --subscription and --access-token switches supported Azure defaults. You could then set env vars, e.g. export AZURE_DEFAULTS_ACCESS_TOKEN=$mytoken.

I often have scrips that export AZURE_DEFAULTS_LOCATION and AZURE_DEFAULTS_GROUP to save including --location and --resource-group on every CLI command.

[bganapa]

If you are looking for this option to run few cli commands parallelly with different user context, the option of AZURE_CONFIG_DIR may be helpful
https://docs.microsoft.com/en-us/cli/azure/use-cli-effectively#concurrent-builds

[jiasli]

Limitations

1. The access token usually expires after 1 hour. Users will have to log in again after it expires.
2. The access token has a specific audience claim (aud), which means it can only be used on one resource. For example, if an ARM's access token is provided, Storage or Key Vault data-plane commands will fail as the audience doesn't match the resource.
3. Directly manipulating access tokens is risky and can lead to credential leak.

[ayanamist]

@jiasli Both AWS and AlibabaCloud support obtaining a token from an external program
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sourcing-external.html
https://github.com/aliyun/aliyun-cli?tab=readme-ov-file#use-an-external-program-to-get-credentials

[hcoona]

We understand the limitation and we confirm our scenario need this feature.

1. We are C# service and can acquire OBO AT. We need to execute user's instruction by passing some parameters to Azure CLI. We know the best approach is to construct deployment ARM template but currently we cannot because of the flexible requirements.
2. We sometime want to go across the Docker container boundary. AKA. generate the AT outside but execute it inside the container.

[fl0mb]

Any updates on this?