Merge pull request #27 from hashicorp/f/azure-cli-sp-auth

azure cli: verifying we're authenticated as a User
hashicorp · Jul 15, 2019 · c10ac5b · c10ac5b
2 parents b829879 + a8d090b
commit c10ac5b
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 0 deletions.
diff --git a/authentication/auth_method_azure_cli_token.go b/authentication/auth_method_azure_cli_token.go
@@ -15,6 +15,7 @@ import (
 
 type azureCliTokenAuth struct {
 	profile *azureCLIProfile
+	servicePrincipalAuthDocsLink string
 }
 
 func (a azureCliTokenAuth) build(b Builder) (authMethod, error) {
@@ -25,6 +26,7 @@ func (a azureCliTokenAuth) build(b Builder) (authMethod, error) {
 			subscriptionId: b.SubscriptionID,
 			tenantId:       b.TenantID,
 		},
+		servicePrincipalAuthDocsLink: b.ClientSecretDocsLink,
 	}
 	profilePath, err := cli.ProfilePath()
 	if err != nil {
@@ -38,6 +40,17 @@ func (a azureCliTokenAuth) build(b Builder) (authMethod, error) {
 
 	auth.profile.profile = profile
 
+	// Authenticating as a Service Principal doesn't return all of the information we need for authentication purposes
+	// as such Service Principal authentication is supported using the specific auth method
+	if authenticatedAsAUser := auth.profile.verifyAuthenticatedAsAUser(); !authenticatedAsAUser {
+		return nil, fmt.Errorf(`Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
+
+To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
+auth method - instructions for which can be found here: %s
+
+Alternatively you can authenticate using the Azure CLI by using a User Account.`, auth.servicePrincipalAuthDocsLink)
+	}
+
 	err = auth.profile.populateFields()
 	if err != nil {
 		return nil, fmt.Errorf("Error retrieving the Profile from the Azure CLI: %s Please re-authenticate using `az login`.", err)

diff --git a/authentication/azure_cli_profile.go b/authentication/azure_cli_profile.go
@@ -1,6 +1,8 @@
 package authentication
 
 import (
+	"strings"
+
 	"github.com/Azure/go-autorest/autorest/azure/cli"
 )
 
@@ -33,3 +35,18 @@ func (a *azureCLIProfile) populateFields() error {
 	// always pull the environment from the Azure CLI, since the Access Token's associated with it
 	return a.populateEnvironment()
 }
+
+func (a *azureCLIProfile) verifyAuthenticatedAsAUser() bool {
+	for _, subscription := range a.profile.Subscriptions {
+		if subscription.User == nil {
+			continue
+		}
+
+		authenticatedAsAUser := strings.EqualFold(subscription.User.Type, "user")
+		if authenticatedAsAUser {
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/authentication/builder.go b/authentication/builder.go
@@ -33,6 +33,7 @@ type Builder struct {
 	// Service Principal (Client Secret) Auth
 	SupportsClientSecretAuth bool
 	ClientSecret             string
+	ClientSecretDocsLink     string
 }
 
 // Build takes the configuration from the Builder and builds up a validated Config