Enable MSI authentication for pull based az webapp deploy operations

dannysongg · dannysongg · commit 83d1588bfeb7 · 2025-02-11T17:50:07.000-08:00
diff --git a/src/azure-cli/azure/cli/command_modules/appservice/_params.py b/src/azure-cli/azure/cli/command_modules/appservice/_params.py
@@ -776,8 +776,8 @@ def load_arguments(self, _):
         c.argument('reset', help='Reset Java apps to the default parking page if set to true with no type specified.', arg_type=get_three_state_flag())
         c.argument('timeout', type=int, help='Timeout for the deployment operation in milliseconds. Ignored when using "--src-url" since synchronous deployments are not yet supported when using "--src-url"')
         c.argument('slot', help="The name of the slot. Default to the productions slot if not specified.")
-        c.argument('track_status', help="If true, web app startup status during deployment will be tracked for linux web apps.",
-                   arg_type=get_three_state_flag())
+        c.argument('track_status', help="If true, web app startup status during deployment will be tracked for linux web apps.", arg_type=get_three_state_flag())
+        c.argument('pull_identity', help="AAD identity used for pull based deployments. 'system' will use the app's system assigned identy. An user assigned identity can be used by providing the client ID. Only available for Windows WebApps. Support for Linux WebApps coming soon.")
 
     with self.argument_context('functionapp deploy') as c:
         c.argument('name', options_list=['--name', '-n'], help='Name of the function app to deploy to.')
diff --git a/src/azure-cli/azure/cli/command_modules/appservice/custom.py b/src/azure-cli/azure/cli/command_modules/appservice/custom.py
@@ -6912,7 +6912,8 @@ def perform_onedeploy_webapp(cmd,
                              ignore_stack=None,
                              timeout=None,
                              slot=None,
-                             track_status=True):
+                             track_status=True,
+                             pull_identity=None):
     params = OneDeployParams()
 
     params.cmd = cmd
@@ -6929,6 +6930,7 @@ def perform_onedeploy_webapp(cmd,
     params.timeout = timeout
     params.slot = slot
     params.track_status = track_status
+    params.pull_identity = pull_identity
 
     return _perform_onedeploy_internal(params)
 
@@ -6948,6 +6950,7 @@ def __init__(self):
         self.should_restart = None
         self.is_clean_deployment = None
         self.should_ignore_stack = None
+        self.pull_identity = None
         self.timeout = None
         self.slot = None
         self.track_status = False
@@ -7056,6 +7059,11 @@ def _get_onedeploy_request_body(params):
                                         "access it".format(params.src_path)) from e
     elif params.src_url:
         logger.warning('Deploying from URL: %s', params.src_url)
+
+        if app_is_linux_webapp and params.pull_identity is not None:
+            logger.warning('Pull with MSI support comming soon for Linux webapps')
+            raise ValidationError("Pull with MSI support is not available for Linux webapps")
+
         body = {
             "properties": {
                 "packageUri": params.src_url,
@@ -7064,8 +7072,10 @@ def _get_onedeploy_request_body(params):
                 "ignorestack": params.should_ignore_stack,
                 "clean": params.is_clean_deployment,
                 "restart": params.should_restart,
+                "pullIdentity": params.pull_identity
             }
         }
+
         body = {"properties": {k: v for k, v in body["properties"].items() if v is not None}}
         body = json.dumps(body)
     else:
