azureauthenticationproxycommand-line-interfacekerberos

Proxy authentication for Azure CLI

For the Azure CLI, is there a way to use proxy authentication? Our proxy servers needs all requests to be authenticated and I do not see any document relating. Using HTTP_PROXY environment variable, I can instruct the az cli to use a particular proxy server but I cannot define it to use proxy authentication, OR if there is a way to do this, I do not know. Our Proxy authentication has to be done either through NTLM or Kerberos.

Can the relevant team, please check If we can configure az cli to use Kerberos proxy authentication?

Solution

  • The root of the answer lies in the fact that Azure CLI is built on top of Python. Now as regards Authentication, Azure CLI uses AAD based protocol, which is handled by the ADAL library for Python whose source code is published here.

    So if this is of interest and someone wanted to see the wire level details, please dig in here.

    As mentioned Azure CLI is built on TOP of python, one of the reasons being to give it a broad cross-platform reach, as it available across Windows, Mac, Linux (and may be other ports are available).

    And ADAL Python is based on a popular Python HTTP library. While the proxy can be configured (and that is not the question here), what was asked and what enterprises want is a way to use Kerberos/NTLM to authenticate the requests while funneling it through a proxy. So if you dig into the documents for the Python HTTP library, you can see named requests, whose proxy support can be configured inline or by environment vars (again that is not the ASK).

    Now when you dig into authentication when requests are being proxied, the document mentions HTTP basic auth only, and there is no mention of Kerberos/NTLM type of authentication. Now if one has worked with any security conscious enterprise, this would be difficult to get an exception. This has been requested by some enterprises, where they want to authenticate (security requirement) all Azure CLI requests at their external facing proxies before it leaves the perimeter.

    The current answer is there is not a supported way to do this, unless an auth handler is implemented that does this, for the scenario where a proxy is in place. This is a request that would squarely belong to the Python HTTP library owners, if I am not mistaken.