Azure-cli: msal and msal extensions pinned to old versions

add to S176

Yes, azure-cli-core has dependency on https://github.com/Azure/azure-cli/blob/573e66b75c1a6b102d32ef50e6740950e8c4fd4d/src/azure-cli-core/setup.py#L53-L54

However, installing Azure CLI with pip is not officially supported. If you must install with pip, we don't recommend installing Azure CLI and other Python SDKs in the same virtual environment.

azure.identity.AzureCliCredential only uses subprocess to call az account get-access-token, so it is fine to install Azure CLI and azure-identity under different virtual environments.

Moreover, installing Azure CLI and other Python SDKs in the same virtual environment will break other commands of Azure CLI as well, because Azure CLI still uses Track 1 SDKs and replacing them with Track 2 SDKs will break the underlying dependencies.

@jiasli - thanks for the update.
I understand the not supporting pip install for the whole of azure-cli and using separate environments, etc. but why is azure-cli-core even available on PyPI if you don't support installing with pip?

There's still the question that azure-identity now has AzureCliCredential support but in the current state of things you cannot use it in a supported way because it's impossible to have azure-cli-core and azure-identity in the same environment without this version conflict - although yes, you're right - I saw the way that azure-identity calls azure cli via subprocess.

BTW - I wasn't asking if it had a fixed dependency on 1.0.0 :-) - more why does it have this dependency on this quite old version? Do later msal/msal-extensions break functionality or is it just to constrain the test matrix (not that I'm saying the latter is unreasonable).

It's definitely complicated by the fact that newer versions of pip are much more vocal about conflicts like this. The really annoying thing is that we don't even use azure cli directly - one of our dependencies does. :-(

I'll play around with installing it into a separate environment but I'd assumed that a pip-installed azure-cli wouldn't even be visible to a different environment.

I understand the not supporting pip install for the whole of azure-cli and using separate environments, etc. but why is azure-cli-core even available on PyPI if you don't support installing with pip?

I will leave this question to @fengzhou-msft who is working on CLI release pipeline.

The dependency of MSAL is for VM SSH. @arrownj will bump the MSAL version accordingly and test with the latest MSAL. Hope this will unblock you.

... one of our dependencies does

May I know how the dependency is using Azure CLI? Ideally it should also use sub-process like AzureCliCredential does.

I'd assumed that a pip-installed azure-cli wouldn't even be visible to a different environment.

az is supposed to be visible on the PATH. This will require you to edit your PATH environment variable to include az. For example, on Windows, if you install outside a virtual environment, it is at C:\Users\username\AppData\Local\Programs\Python\Python38\Scripts\az.bat. Inside a virtual environment, it is at <env>\Scripts\az.bat. But again, we recommend installing in officially supported ways, instead of using pip.

I believe this could be easily fixed by changing

'msal~=1.0.0',
'msal-extensions~=0.1.3',

into

'msal~=1.0',
'msal-extensions~=0.2',

@arrownj, would this work?

@qwordy, could you help verify if msal-extensions~=0.2 works for VM SSH?