[identity] Using scopes
in AzureCliCredential
#13574
Labels
customer-reported
Issues that are reported by GitHub users external to the Azure organization.
needs-triage
Workflow: This is a new issue that needs to be triaged to the appropriate team.
question
The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Is your feature request related to a problem? Please describe.
Is there a reason (security or otherwise) this access token is scoped to a resource?
https://github.com/Azure/azure-sdk-for-python/blob/master/sdk/identity/azure-identity/azure/identity/_credentials/azure_cli.py#L28
I don't fully understand why I need to supply one - I would prefer the access token to have the same access as my user when developing, and have access controlled by RBAC when actually deploying the application.
The issue is that otherwise, if I have some simple code to access blob storage using
DefaultAzureCredential
, I have to pointlessly construct a scope which is only ever used for local development.Describe the solution you'd like
I don't know an elegant/proper solution but the behavior I expected was more like
Then I can choose to supply a scope for the access token when developing, or have fully access to what my user can access.
Happy to submit a PR for this and the
aio
implementation if I haven't missed something behind the motivation here.The text was updated successfully, but these errors were encountered: