If you’re a little cautious around everything from Microsoft then using their Docker container is a decent approach to manage those concerns. Unfortunately, as tends to be the case with a lot of Microsoft documentation, it’s verbose and long but is somehow missing details that make things real-world useful.

Fixing that then -

Use the following .bash_aliases entry to wrap the az alias-command with something that invokes a Docker container locally.

alias az="docker run --rm --interactive --log-driver=none --attach stdin --attach stdout --attach stderr --volume ${HOME}/.azure:/root/.azure:rw --volume ${HOME}/.ssh:/root.ssh mcr.microsoft.com/azure-cli az"

The above uses long-form docker args to make it a little easier to understand what it all means.

Breaking that down into parts -

  • docker run – causes the container from mcr.microsoft.com/azure-cli to be run with the command az (at the end of the command line)
  • –rm – causes the container to be removed after the command has completed.
  • –interactive – keeps the Docker console connection open for stdin/stdout/stderr
  • –log-driver=none – prevent otherwise hidden container log messages
  • –attach – attach each of stdin, stdout and stderr; which is important for az since stderr and stdout otherwise gets collapsed onto one-another making it not-possible to pipe output in your local environment, such as when piping through jq (further detail below)
  • –volume ${HOME}/.azure:/root/.azure – mount your ~/.azure into the Docker container so the Azure authentication is persistent between docker invocations; you may want to consider placing this mount on a separately encrypted mount.
  • –volume ${HOME}/.ssh:/root.ssh – mount your ~/.ssh path into the Docker container.

With this alias in-place you’ll be invoking a (local) Docker container to handle the “dirty” Microsoft stuff.

Further notes:-

  • be sure to use –attach to pass through stdin, stdout and stderr else you will have problems when piping output into something like jq - the issue is that the azure-cli tooling writes command progress/status output to the terminal in a way that gets hidden by using line-feed characters - if you redirect the output from docker to file or string and then view that string you may miss the fact that there are line(s) not visible - if you strip the line-feeds by piping | tr -d ‘\r’ you’ll then uncover the azure-cli status messages at the head of string :( that’s the long story.