tessl/pypi-azure-identity
Microsoft Azure Identity Library providing authentication credentials for Azure SDK clients.
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-azure-identity@1.24.0index.mddocs/
Azure Identity
The Microsoft Azure Identity Library for Python provides credentials to authenticate with Microsoft Entra ID (formerly Azure Active Directory). It serves as the central authentication solution for Azure SDK clients, offering a unified interface for acquiring Azure access tokens across diverse environments including local development, CI/CD pipelines, and Azure-hosted applications.
Package Information
- Package Name: azure-identity
- Language: Python
- Installation:
pip install azure-identity - Version: 1.24.0
Core Imports
from azure.identity import DefaultAzureCredentialComprehensive imports for specific credential types:
from azure.identity import (
DefaultAzureCredential,
ClientSecretCredential,
CertificateCredential,
ManagedIdentityCredential,
InteractiveBrowserCredential,
DeviceCodeCredential,
AzureCliCredential,
ChainedTokenCredential
)For async support:
from azure.identity.aio import DefaultAzureCredential as AsyncDefaultAzureCredentialBasic Usage
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient
# Create credential - automatically detects environment and uses appropriate authentication
credential = DefaultAzureCredential()
# Use with any Azure SDK client
blob_client = BlobServiceClient(
account_url="https://mystorageaccount.blob.core.windows.net",
credential=credential
)
# The credential automatically handles token acquisition and refresh
blobs = blob_client.list_containers()
for blob in blobs:
print(blob.name)
# For specific authentication scenarios
from azure.identity import ClientSecretCredential
# Service principal authentication
sp_credential = ClientSecretCredential(
tenant_id="your-tenant-id",
client_id="your-client-id",
client_secret="your-client-secret"
)
# Interactive authentication for user scenarios
from azure.identity import InteractiveBrowserCredential
user_credential = InteractiveBrowserCredential()Architecture
Azure Identity implements the TokenCredential Protocol that all Azure SDK clients accept. This protocol defines two key methods:
get_token(*scopes)- Synchronously acquires an access token for the specified scopesget_token_info(*scopes)- Provides token with additional metadata
Credential Chain Pattern
The DefaultAzureCredential implements a credential chain pattern, attempting authentication methods in this order:
- Environment variables - Service principal or user authentication via environment variables
- Workload Identity - For Azure Kubernetes Service workloads using service account tokens
- Managed Identity - For Azure-hosted applications (VMs, App Service, Function Apps, etc.)
- Shared Token Cache - Cached tokens from Microsoft developer tools
- Visual Studio Code - Azure account from VS Code Azure extension
- Azure CLI - Account logged into Azure CLI
- Azure PowerShell - Account logged into Azure PowerShell
- Azure Developer CLI - Account logged into Azure Developer CLI
- Interactive Browser - Opens browser for user authentication (disabled by default)
This design provides zero-configuration authentication that works across local development and production environments without code changes.
Common Authentication Patterns
- Service Principal: Applications authenticate with client credentials (secret or certificate)
- User Authentication: Interactive flows for user-facing applications
- Managed Identity: Azure services authenticate automatically without storing credentials
- Developer Authentication: Local development using existing Azure CLI/PowerShell sessions
Capabilities
Core Credentials
Essential credential classes providing the foundation of Azure authentication, including the intelligent DefaultAzureCredential and credential chaining capabilities.
class DefaultAzureCredential:
def __init__(self, **kwargs): ...
class ChainedTokenCredential:
def __init__(self, *credentials): ...Service Principal Credentials
Authenticate applications and services using Azure Active Directory service principals with client secrets, certificates, or custom client assertions.
class ClientSecretCredential:
def __init__(self, tenant_id: str, client_id: str, client_secret: str, **kwargs): ...
class CertificateCredential:
def __init__(self, tenant_id: str, client_id: str, certificate_path: Optional[str] = None, **kwargs): ...
class ClientAssertionCredential:
def __init__(self, tenant_id: str, client_id: str, func: Callable[[], str], **kwargs): ...Interactive User Credentials
Enable user authentication through interactive flows including browser-based authentication, device code flow, and username/password authentication.
from azure.identity._constants import DEVELOPER_SIGN_ON_CLIENT_ID
class InteractiveBrowserCredential:
def __init__(self, *, client_id: str = DEVELOPER_SIGN_ON_CLIENT_ID, **kwargs): ...
class DeviceCodeCredential:
def __init__(self, client_id: str = DEVELOPER_SIGN_ON_CLIENT_ID, *, timeout: Optional[int] = None, **kwargs): ...
class UsernamePasswordCredential:
def __init__(self, client_id: str, username: str, password: str, **kwargs): ...Azure Platform Credentials
Leverage Azure's native authentication mechanisms including managed identities, workload identities, and Azure service-specific authentication.
class ManagedIdentityCredential:
def __init__(self, *, client_id: Optional[str] = None, identity_config: Optional[Mapping[str, str]] = None, **kwargs): ...
class WorkloadIdentityCredential:
def __init__(self, *, tenant_id: Optional[str] = None, client_id: Optional[str] = None, **kwargs): ...Developer Tool Credentials
Authenticate using existing Azure developer tool sessions including Azure CLI, Azure PowerShell, Azure Developer CLI, and Visual Studio Code.
class AzureCliCredential:
def __init__(self, *, process_timeout: int = 10, **kwargs): ...
class AzureDeveloperCliCredential:
def __init__(self, *, process_timeout: int = 10, **kwargs): ...
class AzurePowerShellCredential:
def __init__(self, *, process_timeout: int = 10, **kwargs): ...Advanced Features
Advanced authentication features including token caching, authentication records, exception handling, and utility functions.
class AuthenticationRecord:
def __init__(self, tenant_id: str, client_id: str, authority: str, home_account_id: str, username: str): ...
class TokenCachePersistenceOptions:
def __init__(self, *, allow_unencrypted_storage: bool = False, name: str = "msal.cache", **kwargs): ...Async Support
Asynchronous versions of all credential classes for use with asyncio-based applications and Azure SDK async clients.
# All credential classes available in azure.identity.aio module
from azure.identity.aio import DefaultAzureCredential, ClientSecretCredentialShared Types
TokenCredential Protocol
from abc import ABC, abstractmethod
from typing import Any, Optional, Union
from azure.core.credentials import AccessToken
class TokenCredential(ABC):
@abstractmethod
def get_token(self, *scopes: str, claims: Optional[str] = None, tenant_id: Optional[str] = None, **kwargs: Any) -> AccessToken:
"""
Request an access token for the specified scopes.
Args:
*scopes: Desired scopes for the access token
claims: Additional claims required in the token
tenant_id: Optional tenant ID override
**kwargs: Additional keyword arguments
Returns:
AccessToken: The access token with expiration information
"""
def get_token_info(self, *scopes: str, options: Optional[dict] = None) -> dict:
"""
Request an access token for the specified scopes with additional information.
Args:
*scopes: Desired scopes for the access token
options: Additional options for token acquisition
Returns:
dict: Token information including access token and metadata
"""AccessToken
from azure.core.credentials import AccessToken
class AccessToken:
def __init__(self, token: str, expires_on: int):
"""
Represents an access token with expiration information.
Args:
token: The access token string
expires_on: Token expiration time as seconds since epoch
"""
self.token = token
self.expires_on = expires_onCommon Parameter Types
from typing import List, Optional, Mapping, Callable, Iterable
# Authority hosts for different Azure clouds
AzureAuthorityHost = str # login.microsoftonline.com, login.chinacloudapi.cn, etc.
# Tenant identifier
TenantId = str
# Client application identifier
ClientId = str
# Cache persistence configuration
CachePersistenceOptions = Optional[object] # TokenCachePersistenceOptions instance
# Additional tenant allowlist
AdditionallyAllowedTenants = List[str]
# Authentication record for cached authentication
AuthRecord = Optional[object] # AuthenticationRecord instance