| title | description | services | author | ms.author | tags | ms.service | ms.workload | ms.tgt_pltfrm | ms.topic | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|
Acquiring a user token in Azure Cloud Shell |
How to acquire a token for the authenticated user in Azure Cloud Shell |
azure |
maertendMSFT |
damaerte |
azure-resource-manager |
azure |
infrastructure-services |
vm-linux |
article |
09/29/2021 |
Azure Cloud Shell provides an endpoint that will automatically authenticate the user logged into the Azure portal. Use this endpoint to acquire access tokens to interact with Azure services.
The Azure Cloud Shell has its own endpoint that interacts with your browser to automatically log you in. When this endpoint receives a request, it sends the request back to your browser, which forwards it to the parent Portal frame. The Portal window makes a request to Azure Active Directory, and the resulting token is returned.
If you want to authenticate with different credentials, you can do so using az login or Connect-AzAccount
Execute the following commands to set your user access token as an environment variable, access_token.
response=$(curl http://localhost:50342/oauth2/token --data "resource=https://management.azure.com/" -H Metadata:true -s)
access_token=$(echo $response | python -c 'import sys, json; print (json.load(sys.stdin)["access_token"])')
echo The access token is $access_token
Execute the following command to get a list of all Virtual Machines in your account, using the token you acquired in the previous step.
curl https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines?api-version=2021-07-01 -H "Authorization: Bearer $access_token" -H "x-ms-version: 2019-02-02"
The local authentication endpoint caches tokens. You can call it as often as you like, and an authentication call to Azure Active Directory will only happen if there's no token stored in the cache, or the token is expired.
- There's an allowlist of resources that Cloud Shell tokens can be provided for. If you run a command and receive a message similar to
"error":{"code":"AudienceNotSupported","message":"Audience https://newservice.azure.com/ is not a supported MSI token audience...."}, you've come across this limitation. You can file an issue on GitHub to request that this service is added to the allowlist. - If you log in explicitly using the
az logincommand, any Conditional Access rules your company may have in place will be evaluated based on the Cloud Shell container rather than the machine where your browser runs. The Cloud Shell container doesn’t count as a managed device for these policies so rights may be limited by the policy. - Azure Managed Identities aren't available in the Azure Cloud Shell. Read more about Azure Managed Identities.