Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support specifying a cert thumbprint on Windows #29324

Open
VladimirKhvostov opened this issue Jul 7, 2024 · 5 comments
Open

Support specifying a cert thumbprint on Windows #29324

VladimirKhvostov opened this issue Jul 7, 2024 · 5 comments
Assignees
@jiasli
Labels
Account az login/account Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team feature-request
Milestone
Backlog

Comments

@VladimirKhvostov
Copy link

Hello,
I wanted to switch from the Azure PowerShell to Az cli, because packer supports use_azure_cli_auth.
Tested locally - things look great. I started to updated a release pipeline and ran into an issue:

az login --service-principal requires a pem file on Windows. My expectation was that I will be able able to pass certificate thumbprint on Windows, similar to https://learn.microsoft.com/en-us/powershell/module/az.accounts/connect-azaccount?view=azps-12.0.0#example-7-connect-using-certificates

Unfortunatelly, the following example is not very useful:
https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-3#convert-an-existing-pkcs12-file

Are there plans to support specifying a cert thumbprint on Windows?
Thanks,
--Vladimir
@yonzhan
Copy link
Collaborator

yonzhan commented Jul 7, 2024

Thank you for opening this issue, we will look into it.

@microsoft-github-policy-service microsoft-github-policy-service bot added Auto-Assign Auto assign by bot Account az login/account labels Jul 7, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added Azure CLI Team The command of the issue is owned by Azure CLI team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jul 7, 2024
@yonzhan yonzhan added this to the Backlog milestone Jul 8, 2024
@jiasli
Copy link
Member

jiasli commented Jul 8, 2024
edited
Loading

Unfortunatelly, the following example is not very useful:
https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-3#convert-an-existing-pkcs12-file

Could you explain why this example is not helpful?

Supporting PFX in az login is tracked by #20465.

@yonzhan yonzhan added feature-request and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jul 8, 2024
@jiasli
Copy link
Member

jiasli commented Jul 8, 2024

Unfortunatelly, the following example is not very useful:
https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-3#convert-an-existing-pkcs12-file

Could you explain why this example is not helpful?

Supporting PFX certificate in az login is tracked by #20465.

@VladimirKhvostov
Copy link
Author

@jiasli,
It is great that we have #20465 to track the issue. Supporting PFX cert would be helpful for Windows users, but ideally az cli should support certificate thumbprint. Certificates in the Windows certificate store can non-exportable, which would block creating pfx.
#20465 was created almost 3 years.

https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-3#convert-an-existing-pkcs12-file is not helpful for Windows users.
Consider the following scenario: A customer needs to use a certificate from the Windows certificate store in the az login command.

Thanks,
--Vladimir

@jiasli jiasli changed the title az cli is not Windows friendly (az login --service-principal requires a pem file) Support specifying a cert thumbprint on Windows Jul 22, 2024
@jiasli
Copy link
Member

jiasli commented Jul 22, 2024

Supporting reading certificate from Windows certificate store depends on MSAL's implementation: AzureAD/microsoft-authentication-library-for-python#685.

However, this would require calling Win32 API. For Python, this may not be as easy as reading from a PEM/PFX file. Azure PowerShell cmdlet Connect-AzAccount is based on .NET, so it has a better integration with Windows than Python.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Account az login/account Auto-Assign Auto assign by bot Azure CLI Team The command of the issue is owned by Azure CLI team feature-request
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
3 participants
@jiasli @VladimirKhvostov @yonzhan