Skip to content

Using multiple azure-cli credentials within automation

James Dawson By James Dawson Principal I
Using multiple azure-cli credentials within automation

Have you ever needed an automated process to use alternative credentials for a subset of tasks?

Do your CI/CD processes run with least privilege and lack the permission to carry out certain higher privilege tasks like creating users, changing permissions or role assignments?

This post will demonstrate a technique that allows you setup multiple, concurrent authenticated sessions when using the azure-cli and switch freely between them.

Ordinarily when you run the az login command, your profile stored in ~/.azure will be updated with the obtained authentication token and the azure-cli will use this to authenticate subsequent commands.

However, it is possible to override the path used to store the profile data by setting the environment variable AZURE_CONFIG_DIR. In this way your automated process can use the standard profile path for its default credentials but setup additional authenticated sessions for any other security contexts it requires to do its job.

You just need to ensure that this environment variable is set to point at the correct path before running your azure-cli command (and unset when you want to use the default credentials again).

The PowerShell script below should give you the general idea:

$ErrorActionPreference = 'Stop'
# setup temporary profile path for the alternative user
$altIdProfilePath = Join-Path ([io.path]::GetTempPath()) '.azure-altId'
try {
# check whether already logged-in
$currentToken = $(az account get-access-token) | ConvertFrom-Json
if ([datetime]$currentToken.expiresOn -le [datetime]::Now) {
throw
}
}
catch {
Write-Host 'You need to login'
az login | Out-Null
if ($LASTEXITCODE -ne 0) { exit 1 }
}
Write-Host "You are logged-in (default credential)"
Write-Host "Output from 'az account show':"
az account show --query user
# create a test SPN
Write-Host "`nCreating temporary SPN..."
$newUser = $(az ad sp create-for-rbac -n "My-Alt-Id" --skip-assignment) | ConvertFrom-Json
Write-Host "Created appId: $($newUser.appId)"
Write-Host "`nSwitching to alternative user ($altIdProfilePath)"
# don't use the new SPN too soon ;-)
Start-Sleep -Seconds 5
$env:AZURE_CONFIG_DIR = $altIdProfilePath
Write-Host "Logging-in as temporary SPN"
az login --service-principal -u $newUser.appId -p $newUser.password --tenant $newUser.tenant --allow-no-subscriptions | Out-Null
if ($LASTEXITCODE -ne 0) { exit 1 }
Write-Host "Output from 'az account show':"
az account show --query user
Write-Host "`nSwitching back to default credential"
# unset the environment variable
Remove-Item env:\AZURE_CONFIG_DIR
Write-Host "Output from 'az account show':"
az account show --query user
# tidy-up
Write-Host "`nRemoving temporary SPN..."
az ad sp delete --id $newUser.appId
Remove-Item -Recurse -Force $altIdProfilePath
view raw multiple-azurecli-security-contexts-demo.ps1 hosted with ❤ by GitHub
Azure Weekly is a summary of the week's top Microsoft Azure news from AI to Availability Zones. Keep on top of all the latest Azure developments!

Also worth reading:

Using Azure CLI Authentication within Local Containers

Using Azure CLI Authentication within Local Containers

James Dawson

Have the recent changes to Azure CLI on Windows broken your dev inner loop when working with containerised applications that need access to Azure resources? If so, this post provides a workaround that will unblock you without having to be stuck on an old version of the Azure CLI.
Import and export notebooks in Databricks

Import and export notebooks in Databricks

Ed Freeman

Sometimes it's necessary to import and export notebooks from a Databricks workspace. This might be because you have some generic notebooks that can be useful across numerous workspaces, or it could be that you're having to delete your current workspace for some reason and therefore need to transfer content over to a new workspace. Importing and exporting can be doing either manually or programmatically. In this blog, we outline a way to recursively export/import a directory and its files from/to a Databricks workspace.
How to use the Azure CLI to manage access to Synapse Studio

How to use the Azure CLI to manage access to Synapse Studio

Ed Freeman

Azure Synapse Analytics developers need to be assigned a role within Synapse Studio in order to access the GUI. The Azure CLI provides one way of programmatically achieving this, which can be done by any Owner or Contributor of the Azure Synapse Analytics resource.

James Dawson

Principal I

James Dawson

James is an experienced consultant with a 20+ year history of working across such wide-ranging fields as infrastructure platform design, internet security, application lifecycle management and DevOps consulting - both technical and in a coaching capacity. He enjoys solving problems, particularly those that reduce friction for others or otherwise makes them more effective.