[Enhancement Proposal] Support --subscription in az login #14933
Description
Issue
Sometimes, the user's account has access to many subscriptions (for example, over 300) (MicrosoftDocs/azure-docs-cli#2148). Listing subscriptions can be slow.
Proposal
A parameter --subscription can be added to explicitly select the subscription without calling Subscriptions - List API.
If --tenant is not provided, CLI needs to find in which tenant the subscription resides, but that introduces some problems:
- Finding the tenant of a subscription requires calling Subscriptions - List API. It is not possible to query the tenant of a subscription without using the tenant's token - a deadlock. To break the deadlock, a try-and-error approach can be used (shown below). This would still require listing all tenants.
- If the subscription can be access from multiple tenants, CLI can't detect which tenant to use.
A simple solution is to force --subscription to be used together with --tenant. Once --tenant and --subscription are provided, CLI can call Subscriptions - Get to retrieve further information for this subscription without listing all tenants and subscriptions.
az login will then look like:
> az login --tenant 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a --subscription 0b1f6471-1bf0-4dda-aec3-cb9272f09590
[
{
"cloudName": "AzureCloud",
"homeTenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
"id": "0b1f6471-1bf0-4dda-aec3-cb9272f09590",
"isDefault": false,
"managedByTenants": [
{
"tenantId": "2f4a9838-26b7-47ee-be60-ccc1fdec5953"
}
],
"name": "AzureSDKTest",
"state": "Enabled",
"tenantId": "54826b22-38d6-4fb2-bad9-b7b93a3e9c5a",
"user": {
"name": "[email protected]",
"type": "user"
}
}
]Additional information
PowerShell CmdLet Connect-AzAccount already supports -Subscription (SubscriptionName, SubscriptionId). For example:
Connect-AzAccount -Tenant 'xxxx-xxxx-xxxx-xxxx' -SubscriptionId 'yyyy-yyyy-yyyy-yyyy'
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
[email protected] Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloud
However, PowerShell supports providing -Subscription without -Tenant which will trigger Tenants - List
> Connect-AzAccount -Subscription 0b1f6471-1bf0-4dda-aec3-cb9272f09590 -Debug
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/tenants?api-version=2016-06-01
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Body:
{
"value": [
{
"id": "/tenants/72f988bf-86f1-41af-91ab-2d7cd011db47",
"tenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47"
},
{
"id": "/tenants/246b1785-9030-40d8-a0f0-d94b15dc002c",
"tenantId": "246b1785-9030-40d8-a0f0-d94b15dc002c"
},
...
]
}
Then it tries the home tenant token on the subscription:
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/0b1f6471-1bf0-4dda-aec3-cb9272f09590?api-version=2016-06-01
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
Unauthorized
Body:
{
"error": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/'. It must match one of the tenants 'https://sts.windows.net/2f4a9838-26b7-47ee-be60-ccc1fdec5953/,https://sts.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a/' associated with this subscription. Please use any authority (URL) from 'https://login.windows.net/2f4a9838-26b7-47ee-be60-ccc1fdec5953,https://login.windows.net/54826b22-38d6-4fb2-bad9-b7b93a3e9c5a' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
However, this solution is problematic as if the subscription can be access from multiple tenants, it can't detect which tenant to use.