Skip to content

{AKS} az aks bastion: Fix --subscription not being passed to internal az network bastion tunnel and bastion discovery commands #9671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
FumingZhang wants to merge 2 commits into
base: main
Choose a base branch
from
+40 −26
Open

{AKS} az aks bastion: Fix --subscription not being passed to internal az network bastion tunnel and bastion discovery commands #9671

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4077172
fix
FumingZhang Mar 11, 2026
e8b561e
fix
FumingZhang Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions src/aks-preview/HISTORY.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ To release a new version, please select a new version number (usually plus 1 to
Pending
+++++++

19.0.0b25
+++++++
* `az aks bastion`: Fix `--subscription` not being passed to internal `az network bastion tunnel` and bastion discovery commands.

19.0.0b24
+++++++
* Vendor new SDK and bump API version to 2026-01-02-preview.
Expand Down
56 changes: 32 additions & 24 deletions src/aks-preview/azext_aks_preview/bastion/bastion.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ def __init__(self, name, resource_group):


def aks_bastion_parse_bastion_resource(
bastion: str, resource_groups: List[str]
bastion: str, resource_groups: List[str], subscription_id: str = None
) -> BastionResource:
"""Get the bastion resource name from the provided name or node resource group."""

Expand All @@ -55,18 +55,21 @@ def aks_bastion_parse_bastion_resource(
resource_group,
)
# check if the bastion exists in the provided resource group
show_cmd = [
"network",
"bastion",
"show",
"--resource-group",
resource_group,
"--name",
bastion,
"--output",
"json",
]
if subscription_id:
show_cmd.extend(["--subscription", subscription_id])
result = run_az_cmd(
[
"network",
"bastion",
"show",
"--resource-group",
resource_group,
"--name",
bastion,
"--output",
"json",
],
show_cmd,
out_file=TextIO(),
)
Comment on lines 71 to 74
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

run_az_cmd is being called with out_file=TextIO() but TextIO here comes from typing (a type annotation), not a writable file-like object. This will fail at runtime (or at least won’t behave as intended) when suppressing output. Use a real in-memory buffer (e.g., io.StringIO) or omit out_file and rely on run_az_cmd’s returned result instead.

Copilot uses AI. Check for mistakes.
if result.exit_code != 0:
Expand All @@ -92,16 +95,19 @@ def aks_bastion_parse_bastion_resource(
# list bastions in the provided resource groups
for resource_group in resource_groups:
logger.debug("Searching for bastion in resource group '%s'.", resource_group)
list_cmd = [
"network",
"bastion",
"list",
"--resource-group",
resource_group,
"--output",
"json",
]
if subscription_id:
list_cmd.extend(["--subscription", subscription_id])
result = run_az_cmd(
[
"network",
"bastion",
"list",
"--resource-group",
resource_group,
"--output",
"json",
],
list_cmd,
out_file=TextIO(),
)
if result.exit_code != 0:
Expand Down Expand Up @@ -243,12 +249,12 @@ def aks_bastion_set_kubeconfig(kubeconfig_path, port, cluster_name=None):


async def aks_bastion_runner(
bastion_resource, port, mc_id, kubeconfig_path, test_hook=None
bastion_resource, port, mc_id, kubeconfig_path, subscription_id=None, test_hook=None
):
"""Run the bastion tunnel and subshell in parallel, cancelling the other if one completes."""

task1 = asyncio.create_task(
_aks_bastion_launch_tunnel(bastion_resource, port, mc_id)
_aks_bastion_launch_tunnel(bastion_resource, port, mc_id, subscription_id)
)
if test_hook:
task2 = asyncio.create_task(
Expand Down Expand Up @@ -468,7 +474,7 @@ async def _aks_bastion_launch_subshell(kubeconfig_path, port):
logger.warning("Subshell was cancelled before it could be launched.")


async def _aks_bastion_launch_tunnel(bastion_resource, port, mc_id):
async def _aks_bastion_launch_tunnel(bastion_resource, port, mc_id, subscription_id=None):
"""Launch the bastion tunnel using the provided parameters."""

tunnel_proces = None
Expand All @@ -478,6 +484,8 @@ async def _aks_bastion_launch_tunnel(bastion_resource, port, mc_id):
f"{az_cmd_name} network bastion tunnel --resource-group {bastion_resource.resource_group} "
f"--name {bastion_resource.name} --port {port} --target-resource-id {mc_id} --resource-port 443"
)
if subscription_id:
cmd += f" --subscription {subscription_id}"
logger.warning("Creating bastion tunnel with command: '%s'", cmd)

# Use start_new_session on Unix to create a new process group
Expand Down
4 changes: 3 additions & 1 deletion src/aks-preview/azext_aks_preview/custom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5242,10 +5242,11 @@ def aks_bastion(cmd, client, resource_group_name, name, bastion=None, port=None,
kubeconfig_path = os.path.join(temp_dir, ".kube", "config")

try:
subscription_id = get_subscription_id(cmd.cli_ctx)
mc = client.get(resource_group_name, name)
mc_id = mc.id
nrg = mc.node_resource_group
bastion_resource = aks_bastion_parse_bastion_resource(bastion, [nrg])
bastion_resource = aks_bastion_parse_bastion_resource(bastion, [nrg], subscription_id)
port = aks_bastion_get_local_port(port)

Comment on lines +5245 to 5251
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change introduces explicit --subscription propagation into bastion discovery and the tunnel launch, but there’s no automated test asserting that the subscription flag is forwarded correctly. Consider adding a unit test that mocks run_az_cmd and the tunnel subprocess creation to verify --subscription is included for both bastion discovery and az network bastion tunnel when the user sets --subscription.

Copilot uses AI. Check for mistakes.
# Fetch credentials only if kubeconfig not provided
Expand Down Expand Up @@ -5277,6 +5278,7 @@ def aks_bastion(cmd, client, resource_group_name, name, bastion=None, port=None,
port,
mc_id,
kubeconfig_path,
subscription_id=subscription_id,
test_hook=os.getenv("AKS_BASTION_TEST_HOOK"),
)
)
Expand Down
2 changes: 1 addition & 1 deletion src/aks-preview/setup.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

from setuptools import find_packages, setup

VERSION = "19.0.0b24"
VERSION = "19.0.0b25"

CLASSIFIERS = [
"Development Status :: 4 - Beta",
Expand Down
Loading