Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[identity] Using scopes in AzureCliCredential #13574

Closed
AkhilGNair opened this issue Sep 4, 2020 · 2 comments
Closed

[identity] Using scopes in AzureCliCredential #13574

AkhilGNair opened this issue Sep 4, 2020 · 2 comments
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@AkhilGNair
Copy link

Is your feature request related to a problem? Please describe.
Is there a reason (security or otherwise) this access token is scoped to a resource?

https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/identity/azure-identity/azure/identity/_credentials/azure_cli.py#L28

I don't fully understand why I need to supply one - I would prefer the access token to have the same access as my user when developing, and have access controlled by RBAC when actually deploying the application.

The issue is that otherwise, if I have some simple code to access blob storage using DefaultAzureCredential, I have to pointlessly construct a scope which is only ever used for local development.

Describe the solution you'd like
I don't know an elegant/proper solution but the behavior I expected was more like

COMMAND_LINE = "az account get-access-token --output json{}"
...

resource = _scopes_to_resource(*scopes) if scopes else None
output, error = _run_command(COMMAND_LINE.format(f" --resource {resource}" if resource else ""))

Then I can choose to supply a scope for the access token when developing, or have fully access to what my user can access.

Happy to submit a PR for this and the aio implementation if I haven't missed something behind the motivation here.
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Sep 4, 2020
@AkhilGNair
Copy link
Author

AkhilGNair commented Sep 4, 2020
edited
Loading

Maybe I am misunderstanding this though - could it be that I am supposed to supply something like https://storage.azure.com as the scope? TBH I can't find a list of valid scopes, so I have no idea what the options are!

I am aiming to access blob storage - perhaps I just need guidance on what scope to supply :)

@AkhilGNair
Copy link
Author

AkhilGNair commented Sep 4, 2020
edited
Loading

Looks like I was using it wrong and this is all I needed

from azure.identity import DefaultAzureCredential
from azure.storage.blob import ContainerClient

credentials = DefaultAzureCredential()

container_client = ContainerClient(
    "https://storageaccountname12345.blob.core.windows.net/",
    container_name="container-01",
    credential=credentials,
)

print(list(container_client.list_blobs()))

Love the new feature! Thanks

@AkhilGNair AkhilGNair changed the title [identity] Can scopes be removed from AzureCliCredential? [identity] Using scopes be in AzureCliCredential Sep 4, 2020
@AkhilGNair AkhilGNair changed the title [identity] Using scopes be in AzureCliCredential [identity] Using scopes in AzureCliCredential Sep 4, 2020
openapi-sdkautomation bot pushed a commit to AzureSDKAutomation/azure-sdk-for-python that referenced this issue Mar 25, 2021
CodeGen from PR 13574 in Azure/azure-rest-api-specs
b012580 
Zy privatedns t2 (Azure#13574)

* wrong opr

* private track2 configure

* delete unexpected modification

* reeadme.python version del

* privatedns clear output folder del

* privatedns readme.python package-version add
openapi-sdkautomation bot pushed a commit to AzureSDKAutomation/azure-sdk-for-python that referenced this issue Mar 25, 2021
CodeGen from PR 13574 in Azure/azure-rest-api-specs
f5acafd 
Zy privatedns t2 (Azure#13574)

* wrong opr

* private track2 configure

* delete unexpected modification

* reeadme.python version del

* privatedns clear output folder del

* privatedns readme.python package-version add
@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AkhilGNair