How to use the command az login (with examples)
The “az login” command is used to log in to Azure using the Azure CLI (Command Line Interface). It allows users to authenticate and access Azure resources, such as virtual machines, storage accounts, and databases.
Use case 1: Log in interactively
Code:
az login
Motivation:
- This use case is useful when you want to log in to Azure interactively, meaning you can provide your credentials in real-time.
- It is particularly helpful when you are using the Azure CLI for the first time or when you need to switch between multiple Azure accounts.
Explanation:
- The “az login” command by itself triggers an interactive login session where the user is prompted to enter their Azure credentials.
- During the interactive login, the command will open a browser window where the user can enter their email address and password to authenticate.
Example output:
[
{
"cloudName": "AzureCloud",
"id": "********-****-****-****-************",
"isDefault": true,
"name": "My Azure Subscription",
"state": "Enabled",
"tenantId": "********-****-****-****-************",
"user": {
"name": "john.doe@example.com",
"type": "user"
}
}
]
Use case 2: Log in with a service principal using a client secret
Code:
az login --service-principal --username http://azure-cli-service-principal --password secret --tenant someone.onmicrosoft.com
Motivation:
- This use case is useful when you want to log in to Azure using a service principal, which is an identity used by applications, services, and automation tools.
- Logging in with a service principal is particularly beneficial for non-interactive scenarios, such as automated deployments or scripting.
Explanation:
- The “–service-principal” flag specifies that you want to use a service principal for authentication.
- The “–username” flag specifies the username or application ID of the service principal.
- The “–password” flag specifies the client secret associated with the service principal.
- The “–tenant” flag specifies the Azure AD tenant ID or domain of the service principal.
Example output:
[
{
"cloudName": "AzureCloud",
"id": "********-****-****-****-************",
"isDefault": true,
"name": "My Azure Subscription",
"state": "Enabled",
"tenantId": "********-****-****-****-************",
"user": {
"name": "http://azure-cli-service-principal",
"type": "servicePrincipal"
}
}
]
Use case 3: Log in with a service principal using a client certificate
Code:
az login --service-principal --username http://azure-cli-service-principal --password path/to/cert.pem --tenant someone.onmicrosoft.com
Motivation:
- This use case is similar to the previous one but instead of using a client secret, it uses a client certificate for authentication.
- Using a certificate instead of a secret can provide an additional layer of security, making it suitable for certain scenarios.
Explanation:
- The “–service-principal” flag specifies that you want to use a service principal for authentication.
- The “–username” flag specifies the username or application ID of the service principal.
- The “–password” flag specifies the path to the client certificate file (.pem format) associated with the service principal.
- The “–tenant” flag specifies the Azure AD tenant ID or domain of the service principal.
Example output:
[
{
"cloudName": "AzureCloud",
"id": "********-****-****-****-************",
"isDefault": true,
"name": "My Azure Subscription",
"state": "Enabled",
"tenantId": "********-****-****-****-************",
"user": {
"name": "http://azure-cli-service-principal",
"type": "servicePrincipal"
}
}
]
Use case 4: Log in using a VM’s system assigned identity
Code:
az login --identity
Motivation:
- This use case allows you to log in to Azure using a virtual machine’s system assigned identity.
- It grants the virtual machine access to resources without explicitly providing any credentials, making it convenient for automated processes running within the virtual machine.
Explanation:
- The “–identity” flag indicates that you want to log in using a system assigned identity.
- When using this option, the command automatically discovers and authenticates the system assigned identity of the virtual machine.
Example output:
[
{
"cloudName": "AzureCloud",
"id": "********-****-****-****-************",
"isDefault": true,
"name": "My Azure Subscription",
"state": "Enabled",
"tenantId": "********-****-****-****-************",
"user": {
"type": "userAssignedIdentity"
}
}
]
Use case 5: Log in using a VM’s user assigned identity
Code:
az login --identity --username /subscriptions/subscription_id/resourcegroups/my_rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my_id
Motivation:
- This use case allows you to log in to Azure using a virtual machine’s user assigned identity.
- User assigned identities enable you to assign an identity to your virtual machine enabling it to access Azure resources in a secure manner.
Explanation:
- The “–identity” flag indicates that you want to log in using an assigned identity.
- The “–username” flag specifies the user assigned identity’s resource ID, in the format “/subscriptions/{subscription_id}/resourcegroups/{resource_group_name}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identity_name}”.
Example output:
[
{
"cloudName": "AzureCloud",
"id": "********-****-****-****-************",
"isDefault": true,
"name": "My Azure Subscription",
"state": "Enabled",
"tenantId": "********-****-****-****-************",
"user": {
"type": "userAssignedIdentity"
}
}
]
Conclusion:
The “az login” command is a versatile tool that allows users to authenticate and access Azure resources using various login scenarios. Whether logging in interactively, with a service principal, or using a VM’s assigned identity, the command provides flexibility and security for Azure CLI users.