Fix #2274: Honour AZURE_TENANT_ID and caller-supplied subscription_id in azure_rm workload-identity auth#2276
Conversation
…load-identity auth
zunyangc
added
bug
…h material The previous fix moved the caller-supplied subscription_id merge above the 'no subscription_id -> return None' early-return in _get_env_credentials. That unblocked workload-identity flows (the original #2274 bug), but it introduced a regression: when auth_source=auto and the env has no AZURE_* auth material yet the caller supplies subscription_id (e.g. via module_defaults, inventory, or a credentials profile), _get_env_credentials now returns a truthy dict containing only subscription_id. The auto cascade in _get_credentials short-circuits on that truthy value, skipping the credential_file and az-cli fallbacks, and _set_credentials then fails with 'Failed to authenticate with provided credentials. Some attributes were missing.' Add a guard before the subscription_id merge: env counts as usable auth only when client_id (SP / OIDC paths) or ad_user (user/password path) is set. Otherwise return None so the auto cascade falls through to credential_file -> az-cli as documented. This restores auto-cli-fallback and auto-default-credfile while preserving the #2274 workload-identity fix (AKS webhook always sets AZURE_CLIENT_ID alongside AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE, so the guard passes). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sanity test E501 (line too long, max 160) failed on the comment lines introduced in commit da07669. Shorten them to fit. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
Hi @zunyangc thanks for the quick turnaround on this, really appreciate it ! i checked out the branch and ran the patched the extra guard requiring this is exactly what I needed downstream, I'd been bridging |
zunyangc
added
ready-for-review
zunyangc
added
working
2 participants
SUMMARY
Fix #2274.
The
azure_rmmodules and theazure_rminventory plugin did not pick up the environment variables injected by the AKS workload-identity webhook (and used by theazure-identitySDK), so OIDC auth failed out-of-the-box on AKS workloads until the user manually re-exportedAZURE_TENANT=$AZURE_TENANT_ID.ISSUE TYPE
COMPONENT NAME
plugins/module_utils/azure_rm_common.py
plugins/doc_fragments/azure_plugin.py
ADDITIONAL INFORMATION
AZURE_TENANT_IDhonoured as a fallback fortenantAZURE_CREDENTIAL_ENV_MAPPING_FALLBACK = {'tenant': 'AZURE_TENANT_ID'}._get_env()returns the primary env var when set, otherwise the fallback._get_env_credentials()now routes through_get_env()so the alias applies there too.AZURE_TENANTremains the primary name (back-compat with existing pipelines and~/.azure/credentialsprofiles)._get_env_credentials()early-return reorderedsubscription_idis merged intoenv_credentialsbefore the "no subscription returnNone" check, so a value from anazure_rm.ymlinventory config or~/.azure/credentialsprofile is honoured under workload identity (where the webhook does not injectAZURE_SUBSCRIPTION_ID)._get_env_credentials()now returnsNonewhen the env has neitherclient_id(SP / OIDC paths) norad_user(user/password path), even if a caller-suppliedsubscription_idis present.auth_source=autoto short-circuit on a subscription-only env dict, skipping the documentedcredential_file->az-clifallbacks.AZURE_CLIENT_IDalongsideAZURE_TENANT_IDandAZURE_FEDERATED_TOKEN_FILE.