Azure · Sruuujaaan · Apr 30, 2025 · Apr 30, 2025 · Apr 30, 2025 · May 1, 2025
@@ -7,15 +7,28 @@
 from azure.cli.core import AzCommandsLoader
 from azure.cli.core.profiles import ResourceType
 
-
 class IdentityCommandsLoader(AzCommandsLoader):
 
     def __init__(self, cli_ctx=None):
         from azure.cli.core.commands import CliCommandType
-        identity_custom = CliCommandType(operations_tmpl='azure.cli.command_modules.identity.custom#{}')
+        from azure.cli.command_modules.identity._client_factory import (_msi_user_identities_operations,
+                                                                      _msi_federated_identity_credentials_operations)
+
+        # Base identity commands
+        identity_custom = CliCommandType(
+            operations_tmpl='azure.cli.command_modules.identity.custom#{}',
+            client_factory=_msi_user_identities_operations
+        )
+
+        # Federated credential commands
+        federated_identity_custom = CliCommandType(
+            operations_tmpl='azure.cli.command_modules.identity.custom#{}',
+            client_factory=_msi_federated_identity_credentials_operations
+        )
+
         super().__init__(cli_ctx=cli_ctx,
-                         resource_type=ResourceType.MGMT_MSI,
-                         custom_command_type=identity_custom)
+                        resource_type=ResourceType.MGMT_MSI,
+                        custom_command_type=identity_custom)
 
     def load_command_table(self, args):
         from azure.cli.command_modules.identity.commands import load_command_table
@@ -26,5 +39,4 @@ def load_arguments(self, command):
         from azure.cli.command_modules.identity._params import load_arguments
         load_arguments(self, command)
 
-
 COMMAND_LOADER_CLS = IdentityCommandsLoader
@@ -26,5 +26,9 @@ def _msi_operations_operations(cli_ctx, _):
     return _msi_client_factory(cli_ctx).operations
 
 
-def _msi_federated_identity_credentials_operations(cli_ctx, _):
-    return _msi_client_factory(cli_ctx).federated_identity_credentials
+def _msi_federated_identity_credentials_operations(cli_ctx, **_):
+    """
+    api version is specified for federated identity credentials command because new api version (2023-01-31) of MSI does not support
+    flexible fic command. In order to avoid a breaking change, multi-api package is used.
+    """
+    return _msi_client_factory(cli_ctx, api_version='2025-01-31-PREVIEW').federated_identity_credentials
@@ -3,8 +3,6 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
-# pylint: disable=line-too-long, too-many-lines
-
 from knack.help_files import helps
 
 helps['identity'] = """
@@ -14,7 +12,7 @@
 
 helps['identity create'] = """
 type: command
-short-summary: Create Identities.
+short-summary: Create an identity.
 examples:
   - name: Create an identity.
     text: |
@@ -36,52 +34,71 @@
 short-summary: List the associated resources for the identity.
 """
 
+helps['identity show'] = """
+type: command
+short-summary: Show the details of a managed identity.
+"""
+
+helps['identity delete'] = """
+type: command
+short-summary: Delete a managed identity.
+"""
+
 helps['identity federated-credential'] = """
 type: group
-short-summary: Manage federated identity credentials under user assigned identities.
+short-summary: [Preview] Manage federated credentials under managed identities.
 """
 
 helps['identity federated-credential create'] = """
 type: command
-short-summary: Create a federated identity credential under an existing user assigned identity.
+short-summary: [Preview] Create a federated credential.
+parameters:
+  - name: --name -n
+    type: string
+    short-summary: Name of the federated credential.
+    long-summary: Must start with a letter or number, and can contain letters, numbers, underscores, and hyphens. Length must be between 3-120 characters.
+  - name: --identity-name
+    type: string
+    short-summary: Name of the managed identity.
+  - name: --issuer 
+    type: string
+    short-summary: The URL of the issuer to be trusted.
+    long-summary: For GitHub Actions, use 'https://token.actions.githubusercontent.com'
+  - name: --subject
+    type: string
+    short-summary: The identifier of the external identity.
+    long-summary: Cannot be used with claims-matching-expression-* parameters.
+  - name: --audiences
+    type: array
+    short-summary: List of audiences that can appear in the issued token.
 examples:
-  - name: Create a federated identity credential under a specific user assigned identity.
+  - name: Create a federated identity credential with subject matching
     text: |
-        az identity federated-credential create --name myFicName --identity-name myIdentityName --resource-group myResourceGroup --issuer myIssuer --subject mySubject --audiences myAudiences
+        az identity federated-credential create -g MyResourceGroup --identity-name MyIdentity -n MyFicName \\
+            --issuer https://token.actions.githubusercontent.com \\
+            --subject "system:serviceaccount:ns:svcaccount" \\
+            --audiences api://AzureADTokenExchange
 """
 
 helps['identity federated-credential update'] = """
 type: command
-short-summary: Update a federated identity credential under an existing user assigned identity.
-examples:
-  - name: Update a federated identity credential under a specific user assigned identity.
-    text: |
-        az identity federated-credential update --name myFicName --identity-name myIdentityName --resource-group myResourceGroup --issuer myIssuer --subject mySubject --audiences myAudiences
+short-summary: [Preview] Update a federated credential.
 """
 
 helps['identity federated-credential delete'] = """
 type: command
-short-summary: Delete a federated identity credential under an existing user assigned identity.
+short-summary: [Preview] Delete a federated credential.
 examples:
-  - name: Delete a federated identity credential under a specific user assigned identity.
-    text: |
-        az identity federated-credential delete --name myFicName --identity-name myIdentityName --resource-group myResourceGroup
+  - name: Delete a federated credential
+    text: az identity federated-credential delete -g MyResourceGroup --identity-name MyIdentity -n MyFicName
 """
 
 helps['identity federated-credential show'] = """
 type: command
-short-summary: Show a federated identity credential under an existing user assigned identity.
-examples:
-  - name: Show a federated identity credential under a specific user assigned identity.
-    text: |
-        az identity federated-credential show --name myFicName --identity-name myIdentityName --resource-group myResourceGroup
+short-summary: [Preview] Show details of a federated credential.
 """
 
 helps['identity federated-credential list'] = """
 type: command
-short-summary: List all federated identity credentials under an existing user assigned identity.
-examples:
-  - name: List all federated identity credentials under an existing user assigned identity.
-    text: |
-        az identity federated-credential list --identity-name myIdentityName --resource-group myResourceGroup
+short-summary: [Preview] List all federated credentials for a managed identity.
 """
@@ -3,31 +3,58 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
-# pylint: disable=line-too-long, too-many-lines
 from knack.arguments import CLIArgumentType
-
 from azure.cli.core.commands.parameters import get_location_type, tags_type
 
-
 name_arg_type = CLIArgumentType(options_list=('--name', '-n'), metavar='NAME',
-                                help='The name of the identity resource.')
-
+                               help='The name of the identity resource.')
 
 def load_arguments(self, _):
-
+    # Base identity parameters
     with self.argument_context('identity') as c:
         c.argument('resource_name', arg_type=name_arg_type, id_part='name')
 
     with self.argument_context('identity create') as c:
         c.argument('location', get_location_type(self.cli_ctx), required=False)
         c.argument('tags', tags_type)
 
-    with self.argument_context('identity federated-credential', min_api='2022-01-31-preview') as c:
-        c.argument('federated_credential_name', options_list=('--name', '-n'), help='The name of the federated identity credential resource.')
-        c.argument('identity_name', help='The name of the identity resource.')
-
-    for scope in ['identity federated-credential create', 'identity federated-credential update']:
-        with self.argument_context(scope) as c:
-            c.argument('issuer', help='The openId connect metadata URL of the issuer of the identity provider that Azure AD would use in the token exchange protocol for validating tokens before issuing a token as the user-assigned managed identity.')
-            c.argument('subject', help='The sub value in the token sent to Azure AD for getting the user-assigned managed identity token. The value configured in the federated credential and the one in the incoming token must exactly match for Azure AD to issue the access token.')
-            c.argument('audiences', nargs='+', help='The aud value in the token sent to Azure for getting the user-assigned managed identity token. The value configured in the federated credential and the one in the incoming token must exactly match for Azure to issue the access token.')
+    # Register federated-credential parameters as part of the identity group
+    with self.argument_context('identity federated-credential', is_preview=True) as c:
+        c.argument('federated_credential_name', options_list=('--name', '-n'),
+                  help='[Preview] The name of the federated identity credential resource. Must start with a letter, number and can contain letters, numbers, underscores, and hyphens. Length must be between 3-120 characters.',
+                  type=str)
+        c.argument('identity_name',
+                  help='[Preview] The name of the user assigned identity.')
+
+    # Register create/update specific parameters
+    with self.argument_context('identity federated-credential create', is_preview=True) as c:
+        c.argument('issuer',
+                  help='[Preview] The URL of the issuer to be trusted.',
+                  required=True)
+        c.argument('subject',
+                  help='[Preview] The identifier of the external identity. Cannot be used with claims-matching-expression-*.')
+        c.argument('audiences',
+                  nargs='+',
+                  help='[Preview] The list of audiences that can appear in the issued token.',
+                  required=True)
+        c.argument('claims_matching_expression_value',
+                  help='[Preview] The wildcard-based expression for matching incoming subject claims. Cannot be used with subject.')
+        c.argument('claims_matching_expression_version',
+                  type=int,
+                  help='[Preview] The version of the claims matching expression language.')
+
+    with self.argument_context('identity federated-credential update', is_preview=True) as c:
+        c.argument('issuer',
+                  help='[Preview] The URL of the issuer to be trusted.',
+                  required=True)
+        c.argument('subject',
+                  help='[Preview] The identifier of the external identity. Cannot be used with claims-matching-expression-*.')
+        c.argument('audiences',
+                  nargs='+',
+                  help='[Preview] The list of audiences that can appear in the issued token.',
+                  required=True)
+        c.argument('claims_matching_expression_value',
+                  help='[Preview] The wildcard-based expression for matching incoming subject claims. Cannot be used with subject.')
+        c.argument('claims_matching_expression_version',
+                  type=int,
+                  help='[Preview] The version of the claims matching expression language.')
@@ -3,45 +3,30 @@
 # Licensed under the MIT License. See License.txt in the project root for license information.
 # --------------------------------------------------------------------------------------------
 
-
 from azure.cli.core.commands import CliCommandType
 
-from ._client_factory import _msi_user_identities_operations, _msi_operations_operations, \
-    _msi_federated_identity_credentials_operations
-
+from ._client_factory import (_msi_user_identities_operations,
+                           _msi_operations_operations,
+                           _msi_federated_identity_credentials_operations)
 from ._validators import process_msi_namespace
 
-
 def load_command_table(self, _):
-
-    identity_sdk = CliCommandType(
-        operations_tmpl='azure.mgmt.msi.operations#UserAssignedIdentitiesOperations.{}',
-        client_factory=_msi_user_identities_operations
-    )
-    msi_operations_sdk = CliCommandType(
-        operations_tmpl='azure.mgmt.msi.operations#Operations.{}',
-        client_factory=_msi_operations_operations
-    )
-    federated_identity_credentials_sdk = CliCommandType(
-        operations_tmpl='azure.mgmt.msi.operations#FederatedIdentityCredentialsOperations.{}',
-        client_factory=_msi_federated_identity_credentials_operations
-    )
-
-    with self.command_group('identity', identity_sdk, client_factory=_msi_user_identities_operations) as g:
+    # Base operations
+    with self.command_group('identity') as g:
         g.custom_command('create', 'create_identity', validator=process_msi_namespace)
-        g.show_command('show', 'get')
-        g.command('delete', 'delete')
+        g.command('show', 'get', operations_tmpl='azure.mgmt.msi.operations#UserAssignedIdentitiesOperations.{}')
+        g.command('delete', 'delete', operations_tmpl='azure.mgmt.msi.operations#UserAssignedIdentitiesOperations.{}')
         g.custom_command('list', 'list_user_assigned_identities')
         g.custom_command('list-resources', 'list_identity_resources', min_api='2021-09-30-preview')
+        g.command('list-operations', 'list', operations_tmpl='azure.mgmt.msi.operations#Operations.{}')
 
-    with self.command_group('identity', msi_operations_sdk, client_factory=_msi_operations_operations) as g:
-        g.command('list-operations', 'list')
-
-    with self.command_group('identity federated-credential', federated_identity_credentials_sdk,
-                            client_factory=_msi_federated_identity_credentials_operations,
-                            min_api='2022-01-31-preview') as g:
+    # Federated credential operations
+    with self.command_group('identity federated-credential',
+                          operations_tmpl='azure.mgmt.msi.operations#FederatedIdentityCredentialsOperations.{}',
+                          client_factory=_msi_federated_identity_credentials_operations,
+                          is_preview=True) as g:
         g.custom_command('create', 'create_or_update_federated_credential')
         g.custom_command('update', 'create_or_update_federated_credential')
-        g.custom_show_command('show', 'show_federated_credential')
         g.custom_command('delete', 'delete_federated_credential', confirmation=True)
+        g.custom_command('show', 'show_federated_credential')
         g.custom_command('list', 'list_federated_credential')