Search code examples
azurecredentialsazure-cli

How does `az login` store credential information?

I am wondering what happens when I am logging to azure using az login behind the scenes. I am still logged on for a long time, meaning that something is stored on the machine that allows access.

Would it be possible for an adversary who gains access to the harddrive to read that password/token in clear text to impersonate me?

P.S. I do not mean the credentials that are a part of the az login command itself, but data that is saved behind the scenes by the command.

Solution

  • Good question!

    It doesn't store your login credentials but an authentication-refresh-token. The token can be changed by Microsoft or your tenant admin.

    Refer:

    None of your login information is stored by Azure CLI. Instead, an authentication refresh token is generated by Azure and stored. As of August 2018 this token is revoked after 90 days of inactivity, but this value can be changed by Microsoft or your tenant administrator. Once the token is revoked you get a message from the CLI saying you need to login again.

    https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli

    The CLI stores the token and other details, like your profile, session details, etc. The details are stored in your Home folder.

    %HOMEPATH% > .azure

    navigate to "%HOMEPATH%" from run command (in Windows OS) and open ".Azure" folder. You will be able to find the files you're looking for.

    enter image description here

    (Update: Credit IAmAliYousefi)

    If you use azure cli on WSL (Windows Subsystem for Linux), the .azure directory won't be on your Linux WSL (i.e. ~/.azure), but it's on your Windows system. You can access it from your Linux WSL at /mnt/C/Users/YOUR_USERNAME/.azure/

    You can consider cleaning it up the ".azure" folder when you're feeling "under-attack" 😋