Is your feature request related to a problem? Please describe.
I'm concerned that I cannot use the CLI without having my credentials written to disk in the clear.
Describe the solution you'd like
I would like the CLI to accept credentials from the environment (e.g. AZURE_TENANT_ID
, AZURE_CLIENT_ID
, AZURE_CLIENT_SECRET
).
Describe alternatives you've considered
I've yet to find a way to authenticate that doesn't involve secrets being written to ~/.azure
.
Additional context
I came across this issue which seems to describe the same thing, but was closed following an apparent misunderstanding. While the AWS CLI does indeed write secrets in the clear to disk when configured via aws configure
, it also allows for configuration via environment variables.
I've also found examples in both the Ruby SDK here, and the Go SDK here where authentication via environment variables is enabled.
This issue is particularly problematic in a dockerized environment where it's common for the home directory to be mapped on the host.
Hi @garymoon, thank you for raising this issue. We will consider this as a feature request and discuss internally.
@jiasli Thank you for the update. Please be sure to consider the implications of unintended credential leakage also. IMO this issue represents a security concern.
In the meantime, for anyone coming across this ticket, I suggest either using the microsoft/azure-cli
docker image and mounting the config dir as tmpfs with --tmpfs [home_dir]/.azure
, or adding AZURE_CONFIG_DIR=/dev/shm/.azure
to your shell if you're on Linux.
Python SDK - Azure Identity also supports environment variables here. Maybe we can implement this independently of Azure Identity integration. Even after the Azure Identity integration, this won't be a breaking change.
Any update on this? It will be super useful for us as well.
We are currently implementing this feature in the Azure Identity Integration process and it will be included in the next Beta release. But we can't provide a solid ETA yet.
Hi @jiasli,
Is there any update or a workaround? We need to use the CLI in a pipeline and do not want to post the password on a command line.
Thanks!
This will be released in the next Beta version which uses MSAL. Hopefully it can satisfy your needs.
Most helpful comment
We are currently implementing this feature in the Azure Identity Integration process and it will be included in the next Beta release. But we can't provide a solid ETA yet.