tessl/maven-com-azure--azure-identity
The Azure Identity library provides Microsoft Entra ID token authentication support across the Azure SDK with a comprehensive set of TokenCredential implementations.
—
Pending
managed-identity-credential.mddocs/
Managed Identity Credential
ManagedIdentityCredential authenticates using Azure Managed Identity, providing a secure way for Azure-hosted applications to authenticate without storing credentials. It supports both system-assigned and user-assigned managed identities.
System-Assigned Managed Identity
import com.azure.identity.ManagedIdentityCredential;
import com.azure.identity.ManagedIdentityCredentialBuilder;
// Use system-assigned managed identity (default)
TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
// Use with Azure SDK client
KeyVaultSecret secret = new SecretClientBuilder()
.vaultUrl("https://myvault.vault.azure.net/")
.credential(credential)
.buildClient()
.getSecret("my-secret");User-Assigned Managed Identity
// Authenticate with user-assigned managed identity using client ID
TokenCredential credential = new ManagedIdentityCredentialBuilder()
.clientId("user-assigned-client-id")
.build();
// Alternative: use resource ID
TokenCredential credentialByResourceId = new ManagedIdentityCredentialBuilder()
.resourceId("/subscriptions/{subscription}/resourceGroups/{rg}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{name}")
.build();Supported Azure Services
ManagedIdentityCredential works in the following Azure environments:
- Azure Virtual Machines
- Azure App Service
- Azure Functions
- Azure Container Instances
- Azure Kubernetes Service (AKS)
- Azure Service Fabric
- Azure Arc-enabled servers
Configuration Options
// Configure with various options
TokenCredential credential = new ManagedIdentityCredentialBuilder()
.clientId("user-assigned-client-id") // For user-assigned identity
.maxRetry(3) // Maximum retry attempts
.retryTimeout(Duration.ofSeconds(30)) // Retry timeout
.httpClient(httpClient) // Custom HTTP client
.build();Error Handling
try {
TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
// Synchronous token acquisition
AccessToken token = credential.getTokenSync(
new TokenRequestContext().addScopes("https://vault.azure.net/.default")
);
System.out.println("Token expires at: " + token.getExpiresAt());
} catch (CredentialUnavailableException e) {
System.err.println("Managed Identity not available: " + e.getMessage());
// This typically means the code is not running in an Azure environment
// that supports Managed Identity
} catch (ClientAuthenticationException e) {
System.err.println("Authentication failed: " + e.getMessage());
}Async Usage
import reactor.core.publisher.Mono;
TokenCredential credential = new ManagedIdentityCredentialBuilder().build();
// Asynchronous token acquisition
Mono<AccessToken> tokenMono = credential.getToken(
new TokenRequestContext().addScopes("https://management.azure.com/.default")
);
tokenMono.subscribe(
token -> System.out.println("Got token: " + token.getToken().substring(0, 10) + "..."),
error -> System.err.println("Failed to get token: " + error.getMessage())
);Environment Detection
ManagedIdentityCredential automatically detects the Azure environment and uses the appropriate endpoint:
- Azure Virtual Machines: Uses Azure Instance Metadata Service (IMDS)
- App Service/Functions: Uses MSI_ENDPOINT and MSI_SECRET environment variables
- Service Fabric: Uses IDENTITY_ENDPOINT and IDENTITY_HEADER environment variables
- Azure Arc: Uses IMDS with additional headers
Getting Client ID
ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder()
.clientId("user-assigned-client-id")
.build();
// Get the configured client ID
String clientId = credential.getClientId();
System.out.println("Using client ID: " + clientId);API Reference
class ManagedIdentityCredential implements TokenCredential {
// Token acquisition
Mono<AccessToken> getToken(TokenRequestContext request);
AccessToken getTokenSync(TokenRequestContext request);
// Get the client ID of the managed identity
String getClientId();
}
class ManagedIdentityCredentialBuilder extends CredentialBuilderBase<ManagedIdentityCredentialBuilder> {
// Identity configuration
ManagedIdentityCredentialBuilder clientId(String clientId);
ManagedIdentityCredentialBuilder resourceId(String resourceId);
// Build method
ManagedIdentityCredential build();
}Best Practices
- Prefer System-Assigned: Use system-assigned managed identity when possible for simplicity
- User-Assigned for Flexibility: Use user-assigned managed identity when you need to share identity across resources
- Environment Validation: Check that your code is running in a supported Azure environment
- Resource Permissions: Ensure the managed identity has appropriate permissions for target resources
- Error Handling: Always handle CredentialUnavailableException for non-Azure environments
- Token Caching: The credential automatically handles token caching and refresh
Troubleshooting
Common issues and solutions:
- CredentialUnavailableException: Code is not running in a supported Azure environment
- 403 Forbidden: Managed identity doesn't have permission for the requested resource
- Resource Not Found: User-assigned managed identity client ID or resource ID is incorrect
- Connection Timeout: Network connectivity issues to the managed identity endpoint
Install with Tessl CLI
npx tessl i tessl/maven-com-azure--azure-identitydocs
advanced-authentication-flows.mdauthorization-code-authentication.mdazure-developer-cli-authentication.mdazure-pipelines-authentication.mdclient-assertion-authentication.mdconfiguration-and-utilities.mdcredential-chaining.mddefault-azure-credential.mddeveloper-tool-credentials.mdenvironment-credential.mdindex.mdinteractive-user-authentication.mdmanaged-identity-credential.mdservice-principal-authentication.mdshared-token-cache-authentication.mdusername-password-authentication.mdvisual-studio-code-authentication.md