[App Config] az appconfig: Add anonymous auth mode#32639
Merged
[App Config] az appconfig: Add anonymous auth mode#32639
az appconfig: Add anonymous auth mode#32639Conversation
added 2 commits
January 13, 2026 17:04
ChristineWanjau
requested review from
jsntcy,
yanzhudd and
zhoxing-ms
as code owners
️✔️AzureCLI-FullTest
|
|
| rule | cmd_name | rule_message | suggest_message |
|---|---|---|---|
| appconfig feature delete | cmd appconfig feature delete update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig feature disable | cmd appconfig feature disable update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig feature enable | cmd appconfig feature enable update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig feature filter add | cmd appconfig feature filter add update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig feature filter delete | cmd appconfig feature filter delete update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig feature filter list | cmd appconfig feature filter list update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig feature filter show | cmd appconfig feature filter show update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig feature filter update | cmd appconfig feature filter update update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig feature list | cmd appconfig feature list update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig feature lock | cmd appconfig feature lock update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig feature set | cmd appconfig feature set update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig feature show | cmd appconfig feature show update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig feature unlock | cmd appconfig feature unlock update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig kv delete | cmd appconfig kv delete update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig kv export | cmd appconfig kv export update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig kv export | cmd appconfig kv export update parameter dest_auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig kv import | cmd appconfig kv import update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig kv import | cmd appconfig kv import update parameter src_auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig kv list | cmd appconfig kv list update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig kv lock | cmd appconfig kv lock update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig kv restore | cmd appconfig kv restore update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig kv set | cmd appconfig kv set update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig kv set-keyvault | cmd appconfig kv set-keyvault update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig kv show | cmd appconfig kv show update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig kv unlock | cmd appconfig kv unlock update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig revision list | cmd appconfig revision list update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig snapshot archive | cmd appconfig snapshot archive update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig snapshot create | cmd appconfig snapshot create update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig snapshot list | cmd appconfig snapshot list update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig snapshot recover | cmd appconfig snapshot recover update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
||
| appconfig snapshot show | cmd appconfig snapshot show update parameter auth_mode: updated property choices from ['key', 'login'] to ['anonymous', 'key', 'login'] |
Collaborator
|
Thank you for your contribution! We will review the pull request and get back to you soon. |
|
The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR. Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions). pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>
|
microsoft-github-policy-service
bot
requested review from
avanigupta and
yonzhan
microsoft-github-policy-service
bot
added
App Configuration
Auto-Assign
ChristineWanjau
changed the title
az appconfig: Adding anonymous auth modeaz appconfig: Add anonymous auth mode
albertofori
reviewed
Jan 14, 2026
|
|
||
| if auth_mode == "anonymous": | ||
| try: | ||
| connection_string = "Endpoint={};Id=test-id;Secret=abcdefghijklmnopqrstuvwxyz1234567890".format(endpoint) |
Contributor
There was a problem hiding this comment.
Instead of faking a connection string, can we rather pass endpoint and an AzureKeyCredential with an empty secret? e.g,
azconfig_client = AzureAppConfigurationClient(credential=AzureKeyCredential(""),
base_url=endpoint,
user_agent=HttpHeaders.USER_AGENT)
Contributor
Author
There was a problem hiding this comment.
Makes sense to me. Updated
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 27 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…istineWanjau/azure-cli into cwanjau/addAnonymousAuthMode
mrm9084
suggested changes
Jan 16, 2026
| self.cmd('appconfig kv list --auth-mode login --endpoint http://localhost:8080') | ||
|
|
||
| # key auth mode with http endpoint in connection string should fail | ||
| with self.assertRaisesRegex(CLIError, "HTTP endpoint is only supported when auth mode is 'anonymous'."): |
Member
There was a problem hiding this comment.
Is there no successful state we can test? I'm assuming that is hard as we might not have a way to use the emulator.
Contributor
Author
There was a problem hiding this comment.
Right now, there isn’t a great way to use the emulator. The CLI tests we have are all integration tests, and I’m not sure there’s a better option unless we add unit tests and mock an emulator.
Member
There was a problem hiding this comment.
Do they not allow a mock tests at all? I know the SDKs lean towards live but allow actual unit tests.
Contributor
There was a problem hiding this comment.
I am wondering what this would look like. The only way I think we can verify is if we can somehow get request headers from the client and confirm that no auth header is passed.
| c.argument('fields', arg_type=fields_arg_type) | ||
| c.argument('endpoint', help='If auth mode is "login", provide endpoint URL of the App Configuration store. The endpoint can be retrieved using "az appconfig show" command. You can configure the default endpoint using `az configure --defaults appconfig_endpoint=<endpoint>`', configured_default='appconfig_endpoint') | ||
| c.argument('auth_mode', arg_type=get_enum_type(['login', 'key']), configured_default='appconfig_auth_mode', validator=validate_auth_mode, | ||
| c.argument('endpoint', help='If auth mode is "login" or "anonymous", provide endpoint URL of the App Configuration store. The endpoint can be retrieved using "az appconfig show" command. You can configure the default endpoint using `az configure --defaults appconfig_endpoint=<endpoint>`', configured_default='appconfig_endpoint') |
Member
There was a problem hiding this comment.
Is saying anonymous useful here as the simulator is also a requirement. It could mislead someone to thinking our service allows it.
Contributor
Author
There was a problem hiding this comment.
Maybe we can mention in our help texts anonymous is only used with the app configuration emulator?
Comment on lines
+74
to
+80
| if endpoint and is_http_endpoint(endpoint): | ||
| raise CLIError("HTTP endpoint is only supported when auth mode is 'anonymous'.") | ||
|
|
||
| if connection_string: | ||
| conn_endpoint = get_store_endpoint_from_connection_string(connection_string) | ||
| if is_http_endpoint(conn_endpoint): | ||
| raise CLIError("HTTP endpoint is only supported when auth mode is 'anonymous'.") |
Member
There was a problem hiding this comment.
Suggested change
| if endpoint and is_http_endpoint(endpoint): | |
| raise CLIError("HTTP endpoint is only supported when auth mode is 'anonymous'.") | |
| if connection_string: | |
| conn_endpoint = get_store_endpoint_from_connection_string(connection_string) | |
| if is_http_endpoint(conn_endpoint): | |
| raise CLIError("HTTP endpoint is only supported when auth mode is 'anonymous'.") | |
| if connection_string: | |
| endpoint = get_store_endpoint_from_connection_string(connection_string) | |
| if endpoint and is_http_endpoint(endpoint): | |
| raise CLIError("HTTP endpoint is only supported when auth mode is 'anonymous'.") |
I'm not sure if this works with like 83 as I'm not familiar with namespace.name but you could always add a line before to get a temp value so we don't have this twice.
Contributor
Author
There was a problem hiding this comment.
Sorry, I am not sure I understand. Getting the endpoint parameter twice?
Member
There was a problem hiding this comment.
We don't get the same endpoint twice, but we have two code blocks that both check the endpoint, only one is needed, unless it messes with the line mentioned below.
Contributor
Author
There was a problem hiding this comment.
I see what you mean. A case where both the endpoint and connection string is provided then we will overwrite the endpoint which might be problematic
mrm9084
approved these changes
Jan 20, 2026
albertofori
reviewed
Jan 20, 2026
| help='This parameter can be used for indicating how a data operation is to be authorized. ' + | ||
| 'If the auth mode is "key", provide connection string or store name and your account access keys will be retrieved for authorization. ' + | ||
| 'If the auth mode is "login", provide the `--endpoint` or `--name` and your "az login" credentials will be used for authorization. ' + | ||
| 'If the auth mode is "anonymous", provide the `--endpoint` that will be used for authorization. Anonymous mode only allows HTTP endpoints. ' + |
Contributor
There was a problem hiding this comment.
I would update this slightly to say the following:
If the auth mode is "anonymous", provide the --endpoint that will be used for authorization. Anonymous mode is intended for custom endpoints only, such as the App Configuration emulator.
@mrm9084 thoughts?
Contributor
|
Can you please update the sdk version here too? |
albertofori
approved these changes
Jan 21, 2026
Contributor
Author
|
@yanzhudd @zhoxing-ms this PR is ready to merge |
yanzhudd
approved these changes
Jan 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related command
az appconfig
Description
This PR adds a new anonymous auth mode that is only used with http endpoints.
Testing Guide
az appconfig kv list --auth-mode anonymous --endpoint http://example.com
History Notes
[App Config]
az appconfig: Add optionanonymousfor--auth-modeparameterThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.