{"id":18494214,"url":"https://github.com/workleap/azure-cli-credentials-proxy","last_synced_at":"2025-04-08T22:31:05.472Z","repository":{"id":152608555,"uuid":"626117183","full_name":"workleap/azure-cli-credentials-proxy","owner":"workleap","description":"Azure CLI developer credential proxy for Docker, designed for use in local development environments.","archived":false,"fork":false,"pushed_at":"2025-04-08T02:35:11.000Z","size":98,"stargazers_count":34,"open_issues_count":2,"forks_count":8,"subscribers_count":27,"default_branch":"main","last_synced_at":"2025-04-08T03:29:45.834Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/workleap.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-04-10T20:44:56.000Z","updated_at":"2025-04-07T13:50:02.000Z","dependencies_parsed_at":"2023-10-11T21:22:44.490Z","dependency_job_id":"8968288b-ea78-4506-ba19-442b93d0790c","html_url":"https://github.com/workleap/azure-cli-credentials-proxy","commit_stats":null,"previous_names":["workleap/azure-cli-credentials-proxy","gsoft-inc/azure-cli-credentials-proxy"],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/workleap%2Fazure-cli-credentials-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/workleap%2Fazure-cli-credentials-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/workleap%2Fazure-cli-credentials-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/workleap%2Fazure-cli-credentials-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/workleap","download_url":"https://codeload.github.com/workleap/azure-cli-credentials-proxy/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247939996,"owners_count":21021885,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-06T13:18:24.251Z","updated_at":"2025-04-08T22:31:00.463Z","avatar_url":"https://github.com/workleap.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Azure CLI developer credentials proxy for Docker\n\n[![Docker Hub](https://img.shields.io/docker/v/workleap/azure-cli-credentials-proxy?logo=docker)](https://hub.docker.com/r/workleap/azure-cli-credentials-proxy)\n\nThis simple containerized application acts as a proxy, **allowing other containerized applications to access Azure developer credentials without installing Azure CLI on each individual container**. It is designed for use in local development environments only.\n\n\n## Getting started\n\nAdd `workleap/azure-cli-credentials-proxy:latest` to your `docker-compose.yml` and mount your Linux or WSL `~/.azure/` directory:\n\n```yaml\nversion: \"3\"\n\nservices:\n  azclicredsproxy:\n    image: workleap/azure-cli-credentials-proxy:latest\n    ports:\n      - \"8080:8080\"\n    volumes:\n      - \"\\\\\\\\wsl$\\\\\u003cDISTRONAME\u003e\\\\home\\\\\u003cUSERNAME\u003e\\\\.azure\\\\:/app/.azure/\" # On Windows with WSL\n      - \"/home/\u003cUSERNAME\u003e/.azure:/app/.azure/\" # On Linux\n```\n\nFinally, add two environment variables to your containerized applications that use `DefaultAzureCredential` or `ManagedIdentityCredential`:\n\n```yaml\nversion: \"3\"\n\nservices:\n  # azclicredsproxy: [...]\n\n  myservice:\n    build: .\n    depends_on:\n      - azclicredsproxy\n    environment:\n      - \"IDENTITY_ENDPOINT=http://azclicredsproxy:8080/token\"\n      - \"IMDS_ENDPOINT=dummy_required_value\"\n      # Specify MSI_ENDPOINT below if using \"az login --identity\" in your service.\n      - \"MSI_ENDPOINT=http://azclicredsproxy:8080/token\"\n```\n\n\n## Motivation\n\nWhen developers run services on their operating system, they use their personal *Azure identity* (`username@company.com`) to access protected Azure resources, thanks to [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/). The `az login` command caches Azure personal credentials in a local `~/.azure/` directory, which is then used by `DefaultAzureCredential` - specifically `AzureCliCredential`, a part of the former.\n\nWhen these services run in Azure cloud (App Service, AKS, etc.), protected Azure resources are typically accessed using `ManagedIdentityCredential`, which uses a service principal-based Azure identity authentication mechanism also included in `DefaultAzureCredential`.\n\nHowever, **when developers attempt to run these same services in Docker locally**, the Docker images do not include Azure CLI. These images also lack access to a service principal. While Dockerfiles can be modified to install Azure CLI, and containers can mount the local `~/.azure/` directory, there are several disadvantages:\n\n* Azure CLI is not suitable for production as an authentication mechanism\n* Azure CLI adds a significant 1GB to the Docker image\n\n\u003cimg src=\"https://user-images.githubusercontent.com/14242083/224446793-33930f7f-03b6-4447-8c80-b3b241caba64.png\" width=\"800\" /\u003e\n\nDespite these issues, developers often use their personal Azure identity in local Docker containers. A [GitHub issue](https://github.com/Azure/azure-sdk-for-net/issues/19167) created in March 2021 remains open.\n\n\n## Solution\n\nInstead of installing Azure CLI in each service, we can run another container - a proxy, which is the only one that contains Azure CLI and a mount on `~/.azure/`. This container exposes a single endpoint that returns the Azure developer credentials retrieved with Azure CLI.\n\nThen, we must add two environment variables to each service:\n\n* `IDENTITY_ENDPOINT`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080/token`)\n* `IMDS_ENDPOINT`: an arbitrary but mandatory value (e.g., `random-placeholder`)\n\nWith these two environment variables, any service that uses `DefaultAzureCredential` or `ManagedIdentityCredential` will now call the proxy when Azure credentials are needed. This is because one of `ManagedIdentityCredential`'s [source implementations](https://github.com/Azure/azure-sdk-for-net/blob/Azure.Identity_1.6.0/sdk/identity/Azure.Identity/src/AzureArcManagedIdentitySource.cs) explicitly looks for both of these environment variables if they are specified.\n\n\u003e [!NOTE]\n\u003e If you are using using `az cli` in your service and your service wants to do `az login --identity` then specify `MSI_ENDPOINT`: the URL of the proxy endpoint (e.g., `http://azclicredsproxy:8080/token`) environment variable instead. `IDENTITY_ENDPOINT` and `IMDS_ENDPOINT` are not required for `az login --identity`.\n\nWith this proxy, Dockerfiles can remain untouched and production-ready. The proxy can easily be added to an existing `docker-compose.yml`, and the environment variables are also easy to add. Now, the containerized environment looks like this:\n\n\u003cimg src=\"https://user-images.githubusercontent.com/14242083/224446855-35880df8-1ccd-42df-b226-5afa7b93caa6.png\" width=\"800\" /\u003e\n\n\n## Notes\n\nKeep in mind that you cannot mount a Windows-based `~/.azure/` credentials directory to a Linux container. On Windows, the credentials file cache is a binary file encrypted with [DPAPI](https://learn.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection). On Linux, DPAPI is not supported and the file is not encrypted.\n\nThe solution is to use `az login` on your WSL distribution and mount `\\\\wsl$\\Ubuntu\\home\\\u003cWSLUSERNAME\u003e\\.azure\\` instead of `%USERPROFILE%\\.azure\\`.\n\n\n## License\n\nCopyright © 2023, [Workleap Inc.](https://workleap.com/). This code is licensed under the Apache License, Version 2.0. You may obtain a copy of this license at https://github.com/gsoft-inc/gsoft-license/blob/master/LICENSE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fworkleap%2Fazure-cli-credentials-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fworkleap%2Fazure-cli-credentials-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fworkleap%2Fazure-cli-credentials-proxy/lists"}