Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add subscription_id to service principal json #21693

Open
smarlowucf opened this issue Mar 18, 2022 · 4 comments
Open

Add subscription_id to service principal json #21693

smarlowucf opened this issue Mar 18, 2022 · 4 comments
Assignees
@jiasli
Labels
Auto-Assign Auto assign by bot customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Graph az ad
Milestone
Backlog

Comments

@smarlowucf
Copy link

smarlowucf commented Mar 18, 2022
edited
Loading

Is your feature request related to a problem? Please describe.

Since --sdk-auth is now deprecated from az ad sp create-for-rbac it's expected to use the original json output when creating a service principal. However, the json that's output is completely different. There's two issues:

  • The key names are all different (This is not good from a compatibility standpoint but it's easy to handle)
  • The subscription_id is missing (This is not nice because then it requires all SDK calls to provide the subscription)

Describe the solution you'd like

Given service principals are tied to a specific subscription it would be helpful for the subscription_id to be added to the original json output. This would be helpful in terms of compatibility for users who relied on the --sdk-auth option.

Describe alternatives you've considered

Keep --sdk-auth option

Additional context

No
@ghost ghost added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot Graph az ad labels Mar 18, 2022
@ghost ghost assigned jiasli Mar 18, 2022
@ghost ghost added this to the Backlog milestone Mar 18, 2022
@smarlowucf smarlowucf mentioned this issue Mar 18, 2022
Open
@yonzhan
Copy link
Collaborator

yonzhan commented Mar 18, 2022

@jiasli for awareness

@smarlowucf
Copy link
Author

smarlowucf commented May 6, 2022
edited
Loading

Are there any updates in regards to the deprecation and possible migration paths?

@smarlowucf
Copy link
Author

To provide more details here. When you instantiate a client you require an instance of ClientSecretCredential. This has three arguments; tenant, client id, and client secret. These all exist in the SP json file no matter if you use --sdk-auth but the keys are all different.

When you instantiate a client you pass the instance of ClientSecretCredential and also it requires the subscription id which only exists in the SP json when you use --sdk-auth. Thus if the --sdk-auth flag gets removed then it breaks anyone who is using that format of json and relies on the subscription id being in the json.

@jiasli
Copy link
Member

jiasli commented May 7, 2022
edited
Loading

az ad sp create-for-rbac doesn't grant role assignments by default anymore and --scopes is now required (#21323), so you need to provide the subscription ID in --scopes argument. Therefore, you should already have subscription ID at hand, such as

az ad sp create-for-rbac -n "MyApp" --role Contributor --scopes /subscriptions/{subscriptionId}/resourceGroups/{resourceGroup1}

If you want to use the original output of az ad sp create-for-rbac, you may use az account show --query id --output tsv to retrieve the subscription ID.

To be honest, --sdk-auth will not be removed very soon in the near future (even though Azure SDKs no longer consumes it). You may still use it.

This topic will be centralized into #22297.

@zechen0 zechen0 mentioned this issue Feb 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Graph az ad
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@jiasli @smarlowucf @yonzhan