Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to grant TrustFrameworkKeySet.Read.All to az cli #22755

Closed
m-moris opened this issue Jun 7, 2022 · 5 comments
Closed

How to grant TrustFrameworkKeySet.Read.All to az cli #22755

m-moris opened this issue Jun 7, 2022 · 5 comments
Assignees
@jiasli
Labels
Auto-Assign Auto assign by bot customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Graph az ad
Milestone
Backlog

Comments

@m-moris
Copy link

m-moris commented Jun 7, 2022
edited
Loading

Describe the bug

Command Name
az rest

Errors:

Forbidden({"error":{"code":"AADB2C","message":"The application does not have any of the required delegated permissions (TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All) to access the resource. ","innerError":{"correlationId":"e3062914-8c45-4904-a81d-7a8dc518323d","date":"2022-06-07T05:34:40","request-id":"fc0244a4-d8d7-4a3d-9f12-b81291542503","client-request-id":"fc0244a4-d8d7-4a3d-9f12-b81291542503"}}})

To Reproduce:

Steps to reproduce the behavior. Note that argument values have been redacted, as they may contain sensitive information.

  • az rest --method get --url https://graph.microsoft.com/beta/trustFramework/keySets

Expected Behavior

az cli can retrieve the keyset

Environment Summary

Linux-5.10.102.1-microsoft-standard-WSL2-x86_64-with-glibc2.31, Ubuntu 20.04 LTS
Python 3.10.4
Installer: DEB

azure-cli 2.37.0

Extensions:
containerapp 0.2.0
spring-cloud 2.11.2

Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1

Additional Context

The following commands can be executed successfully.

az rest --method get --url https://graph.microsoft.com/v1.0/applications
@ghost ghost added customer-reported Issues that are reported by GitHub users external to the Azure organization. Auto-Assign Auto assign by bot Graph az ad labels Jun 7, 2022
@ghost ghost assigned jiasli Jun 7, 2022
@ghost ghost added this to the Backlog milestone Jun 7, 2022
@ghost ghost added the CXP Attention This issue is handled by CXP team. label Jun 7, 2022
@yonzhan
Copy link
Collaborator

yonzhan commented Jun 7, 2022

@jiasli for awareness

@yonzhan yonzhan removed the CXP Attention This issue is handled by CXP team. label Jun 7, 2022
@jiasli
Copy link
Member

jiasli commented Jun 7, 2022

https://graph.microsoft.com/beta/trustFramework/keySets is Get trustFrameworkKeySet API which requires TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All permissions.

Azure CLI is a First Party App that doesn't have these delegated permissions.

image

There are 2 possible solutions:

  1. (For us) Apply for TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All permissions in First Party App portal. You can't do that yourself.
  2. Support custom client ID so that users can use Azure CLI with their own application.

@m-moris
Copy link
Author

m-moris commented Jun 7, 2022

@jiasli Thanks for the quick response.

Our requirement is to upload custom policies and manage policy keys for AAD B2C tenants from the command line. Preferably not Powershell, but AZ CLI.

@jiasli jiasli mentioned this issue Jun 8, 2022
Open
@jiasli jiasli mentioned this issue Jun 16, 2022
Merged
@jiasli
Copy link
Member

jiasli commented Jun 16, 2022
edited
Loading

For above options, we did some internal discussion:

  1. Applying for TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All delegated permissions is certainly not an easy task for us. We need to work with security team, PM team, and AAD team to review the business justification and go through multiple approvals.

  2. Supporting custom client ID will also take some time for development. For now, I think the best shot you can take is to

    1. Create your own AAD application
    2. Grant it TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All delegated permissions
    3. Replace Azure CLI's client ID at /opt/az/lib/python3.10/site-packages/azure/cli/core/auth/identity.py Line 22 with your own application ID:

      azure-cli/src/azure-cli-core/azure/cli/core/auth/identity.py

      Line 22 in 1d973cc

      AZURE_CLI_CLIENT_ID = '04b07795-8ddb-461a-bbee-02f9e1bf7b46'

    but this is very hacky and we don't officially support it.

Workaround

A third option is not to use user identity to log in at all. Instead,

  1. Create a service principal
  2. Grant it TrustFrameworkKeySet.Read.All, TrustFrameworkKeySet.ReadWrite.All application permissions
  3. Log in with that service principal

@m-moris
Copy link
Author

m-moris commented Jun 17, 2022

Thanks for the discussion.

Indeed, I too think we should be cautious about granting for any authority to az cli tools.
I decided to use a workaround and have already written an automated script. This is a bit of a pain to manage the secret, though.

@jiasli jiasli closed this as completed Aug 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiasli jiasli

Labels
Auto-Assign Auto assign by bot customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request Graph az ad
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@jiasli @m-moris @yonzhan and others