Better support for deploying to non-home tenant #1964
Conversation
|
CCing everyone who I've discussed DefaultAzureCredential woes with :) |
app/backend/prepdocs.py
Outdated
| azd_credential = AzureDeveloperCliCredential(tenant_id=args.tenantid, process_timeout=60) | ||
| else: | ||
| logger.info("Connecting to Azure services using the azd credential for home tenant") | ||
| azd_credential = AzureDeveloperCliCredential() |
There was a problem hiding this comment.
Why does this one not have the same timeout?
There was a problem hiding this comment.
I don't know! I thought about removing it for consistency but then thought I shouldnt change things I dont know the origin for. Maybe @mattgotteiner recalls a reason?
There was a problem hiding this comment.
Maybe we should put the timeout in both, just to give the credential more time to come back locally.
There was a problem hiding this comment.
I don't think adding the timeout will have much issue. Sure, we can add it to both
Co-authored-by: Anthony Shaw <anthony.p.shaw@gmail.com>
| @@ -22,7 +22,9 @@ jobs: | |||
| - name: Build Bicep for linting | |||
| uses: azure/CLI@v2 | |||
| with: | |||
| inlineScript: az config set bicep.use_binary_from_path=false && az bicep build -f infra/main.bicep --stdout | |||
| inlineScript: | | |||
| export DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 | |||
There was a problem hiding this comment.
Fix for AZ CLI regression-
Azure/azure-cli#29828
|
@mattgotteiner It works only if you're also logged into Azure CLI and have explicitly set your tenant's subscription to the one that was used in the app. So I think it's safer to go with the more explicit credential. We'll see if we get more/less issues with this sort of approach. |
Purpose
I've been deploying to my non-home tenant this week, and it's been tricky since DefaultAzureCredential doesn't necessarily know which tenant to use. Its chain is:
So sometimes my DAC will work, if I've got my az or env setup right, but often it will break.
This change makes our code more explicitly pass in the tenant_id for local use, which should be set by the azd up process.
However, its slightly backward incompatible as we were bringing tenantId into main.parameters.json, which was overriding what would otherwise be a correctly output tenantId and setting it to an empty string. So some developers may need to re-run azd provision, or go into their .env and set AZURE_TENANT_ID="" there, to get local dev working again.
Does this introduce a breaking change?
When developers merge from main and run the server, azd up, or azd deploy, will this produce an error?
If you're not sure, try it out on an old environment.
Does this require changes to learn.microsoft.com docs?
This repository is referenced by this tutorial
which includes deployment, settings and usage instructions. If text or screenshot need to change in the tutorial,
check the box below and notify the tutorial author. A Microsoft employee can do this for you if you're an external contributor.
Type of change
Code quality checklist
See CONTRIBUTING.md for more details.
python -m pytest).python -m pytest --covto verify 100% coverage of added linespython -m mypyto check for type errorsruffandblackmanually on my code.