Skip to content

[Enhancement Proposal] User and tenant isolation #15005

Description

@jiasli

Issue

Currently, Azure CLI uses subscriptionId as the primary key to distinguish between accounts (stored in ~/.azure/azureProfile.json).

def _get_key_name(account, secondary_key_name):
return (account[_SUBSCRIPTION_ID] if secondary_key_name is None
else '{}-{}'.format(account[_SUBSCRIPTION_ID], account[secondary_key_name]))
def _match_account(account, subscription_id, secondary_key_name, secondary_key_val):
return (account[_SUBSCRIPTION_ID] == subscription_id and
(secondary_key_val is None or account[secondary_key_name] == secondary_key_val))

This causes problem when

  1. az login is run twice with different accounts that have access to the same subscriptions. The subscriptions listed during the second az login will overwrite subscriptions from the first az login.
  2. A subscription can be accessed in multiple tenants. Only the first occurrence is preserved and all subsequent occurrences are discarded. ([Core][Profile] Support lighthouse multi-tenant subscription #11886)
    # When a subscription can be listed by multiple tenants, only the first appearance is retained
    for sub_to_add in subscriptions:
    add_sub = True
    for sub_to_compare in all_subscriptions:
    if sub_to_add.subscription_id == sub_to_compare.subscription_id:
    logger.warning("Subscription %s '%s' can be accessed from tenants %s(default) and %s. "
    "To select a specific tenant when accessing this subscription, "
    "use 'az login --tenant TENANT_ID'.",
    sub_to_add.subscription_id, sub_to_add.display_name,
    sub_to_compare.tenant_id, sub_to_add.tenant_id)
    add_sub = False
    break

Proposal

  1. CLI should use a combined primary key or 3-layer structure which consists of username + tenant_id + subscription_id.
  2. CLI should support switching users with az account set --username.
  3. CLI should support switching tenants with az account set --tenant.
  4. The selected subscription should be saved for each user and each tenant, so that after switching users/tenants, the selected subscription is restored.

Metadata

Metadata

Assignees

Type

No type
No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions