[App Service] az webapp deploy: Change get_bearer_token to use App Service Audience#31988
Conversation
️✔️AzureCLI-FullTest
|
dannysongg
requested review from
bebound,
calvinhzy,
evelyn-ys,
jiasli,
jsntcy,
kairu-ms,
necusjz,
yanzhudd and
zhoxing-ms
as code owners
|
Hi @dannysongg, |
️✔️AzureCLI-BreakingChangeTest
|
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
There was a problem hiding this comment.
Pull Request Overview
This PR updates the az webapp deploy command to use App Service-specific audience for authentication instead of the broader ARM audience, improving security hygiene by scoping down token permissions.
Key Changes:
- Modified
get_bearer_token()function to useapp_service_resource_idinstead ofactive_directory_resource_id - Added
app_service_resource_idendpoint to the cloud configuration for all Azure cloud environments - Updated cloud endpoint mappings to support the new App Service resource ID
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| src/azure-cli/azure/cli/command_modules/appservice/custom.py | Updated token acquisition to use App Service audience |
| src/azure-cli-core/azure/cli/core/cloud.py | Added App Service resource ID endpoints for all cloud environments |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
microsoft-github-policy-service
bot
requested review from
wangzelin007 and
yonzhan
dannysongg
force-pushed
the
use-appservice-audience
branch
from
61adaf8 to
e21d8d2
Compare
|
please add some tests for the change to ensure it works well. |
|
Please note that the Azure CLI release process will begin on 09/30/2025 at 07:00 UTC. If this PR is intended for the upcoming release, kindly resolve the comments as soon as possible, otherwise it will need to be postponed to the next sprint. |
|
@yanzhudd This change does not touch the functionality of the command. It only changes the token audience that is used for authentication. The existing test will still cover this change, as it will be using the new token audience. |
|
/azp run |
|
Azure Pipelines successfully started running 3 pipeline(s). |
|
Hi @dannysongg |
|
@yanzhudd the new release note looks good to me |
Related command
az webapp deployDescription
Adding app_service_resource_id to the cloud config. Public cloud is mapped to the App service audience (https://appservice.azure.com). MC and FF are be mapped to the existing ARM audience (https://management.core.windows.net/) until token acquisition is fully supported by the App Service audience in those regional clouds. It will be switched to https://appservice.azure.com once supported.
get_bearer_token() will begin using the App Service audience (https://appservice.azure.com) instead of ARM (https://management.core.windows.net/) to communicate with the SCM site for security hygiene.
Testing Guide
Tested az webapp deploy --resource-group {rg-name} --name {app-name} --src-path {artifact-path} --debug to ensure that https://appservice.azure.com is being used to fetch the bearer token.
History Notes
[App Service]
az webapp deploy: Change the token retrieval function to use the App Service AudienceThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.