feat: add az CLI shim for Azure token acquisition via ado-codespaces-auth

[ansemb]

Summary

Adds an az CLI shim that intercepts az account get-access-token requests and delegates to azure-auth-helper from the ado-codespaces-auth VS Code extension. This enables Azure SDK's DefaultAzureCredential (via AzureCliCredential) to work seamlessly in GitHub Codespaces without requiring manual az login.

Problem

When using Azure SDKs (e.g., Azure.Identity for .NET, azure-identity for Python) in Codespaces, DefaultAzureCredential fails because:

1. az login times out waiting for browser-based authentication
2. AzureCliCredential falls back to calling az account get-access-token --resource <url>, which also fails

This blocks local development of services that access Azure resources like Key Vault, Storage, or ARM.

Solution

The shim:

• Intercepts az account get-access-token commands
• Extracts the --resource, --scope, or --resource-type parameter
• Converts to a scope string (e.g., https://vault.azure.net/.default)
• Calls ~/azure-auth-helper get-access-token "<scope>" to acquire a token via IPC to VS Code
• Returns JSON matching the real az CLI output format
• Falls through to the real az CLI for all other commands

Features

• Supports --resource <url> (v1.0 endpoint style)
• Supports --scope <scope> (v2.0 endpoint style)
• Supports --resource-type with well-known mappings (arm, ms-graph, aad-graph, batch, data-lake, media, oss-rdbms)
• Bypasses interception in GitHub Actions (checks ACTIONS_ID_TOKEN_REQUEST_URL)
• Cross-platform date handling (GNU/BSD)

Testing

Tested with:

• az account get-access-token --resource https://vault.azure.net ✅
• az account get-access-token --resource-type arm ✅
• az account get-access-token --scope https://graph.microsoft.com/.default ✅
• .NET service using DefaultAzureCredential → Key Vault access ✅

[Copilot]

Pull request overview

This pull request adds an Azure CLI (az) shim that intercepts az account get-access-token commands to enable Azure SDK authentication in GitHub Codespaces without requiring manual az login. The shim delegates token acquisition to the azure-auth-helper from the ado-codespaces-auth VS Code extension.

Changes:

• Added new az CLI shim script that intercepts access token requests and falls back to the real Azure CLI for other commands
• Integrated the az shim into the artifacts-helper feature with a configurable azAlias option
• Updated documentation to describe the az shim functionality and usage

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/artifacts-helper/scripts/az	New shim script that intercepts az account get-access-token and delegates to azure-auth-helper
src/artifacts-helper/install.sh	Added ALIAS_AZ configuration option and integrated az into the shim installation process
src/artifacts-helper/devcontainer-feature.json	Added azAlias boolean option to control az shim installation
src/artifacts-helper/README.md	Updated documentation to include az shim description and corrected grammar
src/artifacts-helper/NOTES.md	Updated notes to include az shim functionality and corrected grammar

Comments suppressed due to low confidence (1)

src/artifacts-helper/scripts/az:19

• The variable $0 should be quoted to handle paths containing spaces. Change dirname $0 to dirname "$0" to prevent word splitting issues.

source "$(dirname $0)"/resolve-shim.sh

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[markphip]

Take a look at the Copilot feedback in addition to mine and either just mark items resolved or implement the suggestions it made