How to use environment variables instead of az login in azure cli or any other secured way?

Appmanager Zohocorp 41

I am trying to use Environment Variables for Azure CLI instead of the below 'az login' command

az login --service-principal -u [ClientID] -p [ClientSecret]--tenant [TenantID]

Can Azure CLI able to use environment variables for Azure credentials?

If not, is there any alternate way to set credentials to Azure CLI programmatically in a secured way instead of directly using client secret in command?

Note: AWS-CLI supports configuring credentials in environment variables for aws commands.

1 answer

Shweta Mathur 27,131 Reputation points Microsoft Employee

2022-05-11T07:38:46.123+00:00

Hi @Appmanager Zohocorp ,

Thanks for reaching out.

I understand you are looking a secure way to pass credentials to Azure CLI preferably environment variables.

CLI provides a way to set variables either in a configuration file or with environment variables.

There are defined values that can be set as environment_variables as AZURE_{section}_{name} in the configuration file as mentioned here.

To pass the credentials securely in Azure CLI using read -sp command in bash where credential can be passed without displaying in console as:

read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-id> -p $AZ_PASS --tenant<tenant>

Alternatively, Powershell command can be used to pass credential securely as:

$AzCred = Get-Credential -UserName <app-id>
az login --service-principal -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password --tenant <tenant>

Hope this will help to pass credential securely using Azure CLI.

Thanks,
Shweta

------------------------------------------------

Please remember to "Accept Answer" if answer helped you.
Please sign in to rate this answer.
Appmanager Zohocorp 41 Reputation points

2022-05-13T08:29:34.98+00:00

Hi @Shweta Mathur ,

Thanks for the info.

There are defined values that can be set as environment_variables as AZURE_{section}_{name} in the configuration file as mentioned here.

In this document, I find no variables related to az login. Can you elaborate your answer if it is supported?

read -sp "Azure password: " AZ_PASS && echo && az login --service-principal -u <app-id> -p $AZ_PASS --tenant<tenant>

$AzCred = Get-Credential -UserName <app-id>
az login --service-principal -u $AzCred.UserName -p $AzCred.GetNetworkCredential().Password --tenant <tenant>

Both the ways seems to be interactive but we need to run the command programmatically. Is there any other secure way to run the command programmatically both in Windows and Linux?

Shweta Mathur 27,131 Reputation points Microsoft Employee

2022-05-17T07:34:39.107+00:00

Hi @ AppmanagerZohocorp-9645,

Thanks for the update and apologies for delay in response.

Unfortunately, Environment variables to secure the credentials is not supported by Azure CLI.

However, there are alternatives to secure the credentials using CLI and can call non-interactively.

Certificate based authentication - This will allow to authenticate securely with certificates which can be stored in Azure Key Vault and can be retrieved using private key. To sign in with a certificate, it must be available locally as a PEM or DER file, in ASCII format and need to provide the path of certificate in Azure CLI.

az login --service-principal --username appID --tenant tenantID --password /path/to/cert

Sign in with Managed Identity - allow you to manage credentials by own, Azure provides the managed identity to authenticate to any resource without managing the credentials.

You can sign in with managed identity in Azure CLI using az login --identity

Manage identities allows you to manage identity using user-based identity if there are multiple users assigned and system-based for service instance.

Hope this will help to secure the credentials programmatically.

Thanks,
Shweta

Shweta Mathur 27,131 Reputation points Microsoft Employee

2022-05-20T12:34:38.81+00:00

Hi @ AppmanagerZohocorp-9645,

Just wanted to know, did you get a chance to look the above situation. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

Thanks,
Shweta
Sign in to comment