Tessl Tile for pypi/azure-identity@1.24.0

or run

npx @tessl/cli init

Version

Tile

Overview

Evals

Files

docs

advanced.md async.md azure-platform.md core-credentials.md developer.md index.md interactive.md service-principal.md

core-credentials.mddocs/

0
# Core Credentials
1

2
Essential credential classes providing the foundation of Azure authentication. These credentials implement the intelligent DefaultAzureCredential pattern and credential chaining capabilities that automatically adapt to different deployment environments.
3

4
## Capabilities
5

6
### DefaultAzureCredential
7

8
The recommended credential for most Azure applications. Implements an intelligent credential chain that automatically detects the authentication method available in the current environment, enabling zero-configuration authentication across local development, CI/CD, and production deployments.
9

10
```python { .api }
11
class DefaultAzureCredential:
12
    def __init__(
13
        self,
14
        *,
15
        authority: Optional[str] = None,
16
        exclude_workload_identity_credential: bool = False,
17
        exclude_developer_cli_credential: bool = False,
18
        exclude_cli_credential: bool = False,
19
        exclude_environment_credential: bool = False,
20
        exclude_managed_identity_credential: bool = False,
21
        exclude_powershell_credential: bool = False,
22
        exclude_visual_studio_code_credential: bool = True,
23
        exclude_shared_token_cache_credential: bool = False,
24
        exclude_interactive_browser_credential: bool = True,
25
        exclude_broker_credential: bool = False,
26
        interactive_browser_tenant_id: Optional[str] = None,
27
        broker_tenant_id: Optional[str] = None,
28
        managed_identity_client_id: Optional[str] = None,
29
        workload_identity_client_id: Optional[str] = None,
30
        workload_identity_tenant_id: Optional[str] = None,
31
        interactive_browser_client_id: Optional[str] = None,
32
        broker_client_id: Optional[str] = None,
33
        shared_cache_username: Optional[str] = None,
34
        shared_cache_tenant_id: Optional[str] = None,
35
        visual_studio_code_tenant_id: Optional[str] = None,
36
        process_timeout: int = 10,
37
        **kwargs
38
    ):
39
        """
40
        Create a DefaultAzureCredential instance that attempts authentication via multiple methods.
41
        
42
        Attempts credentials in this order:
43
        1. EnvironmentCredential
44
        2. WorkloadIdentityCredential (if not excluded)
45
        3. ManagedIdentityCredential (if not excluded)
46
        4. SharedTokenCacheCredential (if not excluded)
47
        5. VisualStudioCodeCredential (if not excluded, excluded by default)
48
        6. AzureCliCredential (if not excluded)
49
        7. AzurePowerShellCredential (if not excluded)
50
        8. AzureDeveloperCliCredential (if not excluded)
51
        9. InteractiveBrowserCredential (if not excluded, excluded by default)
52
        
53
        Args:
54
            authority: Authority of a Microsoft Entra endpoint. Default: login.microsoftonline.com
55
            exclude_workload_identity_credential: Exclude workload identity credential from the chain
56
            exclude_developer_cli_credential: Exclude Azure Developer CLI credential
57
            exclude_cli_credential: Exclude Azure CLI credential
58
            exclude_environment_credential: Exclude environment variables credential
59
            exclude_managed_identity_credential: Exclude managed identity credential
60
            exclude_powershell_credential: Exclude Azure PowerShell credential
61
            exclude_visual_studio_code_credential: Exclude VS Code credential (excluded by default)
62
            exclude_shared_token_cache_credential: Exclude shared token cache credential
63
            exclude_interactive_browser_credential: Exclude interactive browser credential (excluded by default)
64
            exclude_broker_credential: Exclude broker credential
65
            interactive_browser_tenant_id: Tenant ID for interactive browser authentication
66
            broker_tenant_id: Tenant ID for brokered authentication
67
            managed_identity_client_id: Client ID for user-assigned managed identity
68
            workload_identity_client_id: Client ID for workload identity
69
            workload_identity_tenant_id: Tenant ID for workload identity
70
            interactive_browser_client_id: Client ID for interactive browser authentication
71
            broker_client_id: Client ID for broker authentication
72
            shared_cache_username: Username for shared token cache
73
            shared_cache_tenant_id: Tenant ID for shared token cache
74
            visual_studio_code_tenant_id: Tenant ID for VS Code authentication
75
            process_timeout: Timeout in seconds for developer credential processes
76
        """
77

78
    def get_token(self, *scopes: str, claims: Optional[str] = None, tenant_id: Optional[str] = None, **kwargs) -> AccessToken:
79
        """
80
        Request an access token for the specified scopes.
81
        
82
        Args:
83
            *scopes: Desired scopes for the access token
84
            claims: Additional claims required in the token
85
            tenant_id: Optional tenant ID override
86
            
87
        Returns:
88
            AccessToken: The access token with expiration information
89
            
90
        Raises:
91
            CredentialUnavailableError: No credential in the chain can authenticate
92
            AuthenticationRequiredError: Interactive authentication is required
93
        """
94

95
    def get_token_info(self, *scopes: str, options: Optional[dict] = None) -> dict:
96
        """
97
        Request access token with additional information.
98
        
99
        Args:
100
            *scopes: Desired scopes for the access token
101
            options: Additional options for token acquisition
102
            
103
        Returns:
104
            dict: Token information including access token and metadata
105
        """
106
```
107

108
**Usage Example:**
109

110
```python
111
from azure.identity import DefaultAzureCredential
112
from azure.keyvault.secrets import SecretClient
113

114
# Zero-configuration - works in development and production
115
credential = DefaultAzureCredential()
116

117
# Use with any Azure SDK client
118
client = SecretClient(
119
    vault_url="https://vault.vault.azure.net/",
120
    credential=credential
121
)
122

123
# Customized configuration excluding certain credential types
124
dev_credential = DefaultAzureCredential(
125
    exclude_managed_identity_credential=True,  # Skip managed identity in local dev
126
    exclude_interactive_browser_credential=False  # Enable browser auth for development
127
)
128

129
# Production configuration with specific managed identity
130
prod_credential = DefaultAzureCredential(
131
    managed_identity_client_id="your-user-assigned-identity-client-id",
132
    exclude_cli_credential=True,  # Skip CLI tools in production
133
    exclude_powershell_credential=True
134
)
135
```
136

137
### ChainedTokenCredential
138

139
A configurable credential chain that attempts authentication using a sequence of credential instances in order until one succeeds. Provides full control over credential ordering and selection.
140

141
```python { .api }
142
class ChainedTokenCredential:
143
    def __init__(self, *credentials):
144
        """
145
        Create a credential chain from the provided credentials.
146
        
147
        Args:
148
            *credentials: TokenCredential instances to try in order
149
            
150
        Example:
151
            credential = ChainedTokenCredential(
152
                ManagedIdentityCredential(),
153
                ClientSecretCredential(tenant_id, client_id, secret),
154
                AzureCliCredential()
155
            )
156
        """
157

158
    def get_token(self, *scopes: str, claims: Optional[str] = None, tenant_id: Optional[str] = None, **kwargs) -> AccessToken:
159
        """
160
        Request an access token using the first available credential in the chain.
161
        
162
        Args:
163
            *scopes: Desired scopes for the access token
164
            claims: Additional claims required in the token
165
            tenant_id: Optional tenant ID override
166
            
167
        Returns:
168
            AccessToken: The access token from the first successful credential
169
            
170
        Raises:
171
            CredentialUnavailableError: All credentials in the chain failed
172
        """
173

174
    def get_token_info(self, *scopes: str, options: Optional[dict] = None) -> dict:
175
        """
176
        Request access token with additional information using the first available credential.
177
        
178
        Args:
179
            *scopes: Desired scopes for the access token
180
            options: Additional options for token acquisition
181
            
182
        Returns:
183
            dict: Token information from the first successful credential
184
        """
185
```
186

187
**Usage Example:**
188

189
```python
190
from azure.identity import (
191
    ChainedTokenCredential,
192
    ManagedIdentityCredential, 
193
    ClientSecretCredential,
194
    AzureCliCredential
195
)
196

197
# Custom credential chain for specific application needs
198
credential = ChainedTokenCredential(
199
    # Try managed identity first (production)
200
    ManagedIdentityCredential(),
201
    
202
    # Fallback to service principal (CI/CD)
203
    ClientSecretCredential(
204
        tenant_id="your-tenant-id",
205
        client_id="your-client-id", 
206
        client_secret="your-client-secret"
207
    ),
208
    
209
    # Fallback to Azure CLI (development)
210
    AzureCliCredential()
211
)
212

213
# Use with Azure SDK clients
214
from azure.storage.blob import BlobServiceClient
215

216
blob_client = BlobServiceClient(
217
    account_url="https://account.blob.core.windows.net",
218
    credential=credential
219
)
220
```
221

222
### EnvironmentCredential
223

224
Authenticates using environment variables, supporting both service principal and user authentication patterns. Automatically detects the authentication method based on available environment variables.
225

226
```python { .api }
227
class EnvironmentCredential:
228
    def __init__(
229
        self,
230
        *,
231
        authority: Optional[str] = None,
232
        cache_persistence_options: Optional[TokenCachePersistenceOptions] = None,
233
        disable_instance_discovery: bool = False,
234
        additionally_allowed_tenants: List[str] = None,
235
        **kwargs
236
    ):
237
        """
238
        Create an EnvironmentCredential that authenticates using environment variables.
239
        
240
        Supports these authentication patterns:
241
        
242
        Service principal with client secret:
243
        - AZURE_TENANT_ID: Tenant ID
244
        - AZURE_CLIENT_ID: Client ID  
245
        - AZURE_CLIENT_SECRET: Client secret
246
        
247
        Service principal with certificate:
248
        - AZURE_TENANT_ID: Tenant ID
249
        - AZURE_CLIENT_ID: Client ID
250
        - AZURE_CLIENT_CERTIFICATE_PATH: Path to certificate file
251
        - AZURE_CLIENT_CERTIFICATE_PASSWORD: Certificate password (optional)
252
        
253
        User authentication with username/password:
254
        - AZURE_TENANT_ID: Tenant ID (optional)
255
        - AZURE_CLIENT_ID: Client ID
256
        - AZURE_USERNAME: Username
257
        - AZURE_PASSWORD: Password
258
        
259
        Args:
260
            authority: Authority of a Microsoft Entra endpoint
261
            cache_persistence_options: Configuration for persistent token caching
262
            disable_instance_discovery: Disable instance discovery and authority validation
263
            additionally_allowed_tenants: Additional allowed tenants beyond the configured tenant
264
        """
265

266
    def get_token(self, *scopes: str, claims: Optional[str] = None, tenant_id: Optional[str] = None, **kwargs) -> AccessToken:
267
        """
268
        Request an access token for the specified scopes using environment variables.
269
        
270
        Args:
271
            *scopes: Desired scopes for the access token
272
            claims: Additional claims required in the token
273
            tenant_id: Optional tenant ID override
274
            
275
        Returns:
276
            AccessToken: The access token with expiration information
277
            
278
        Raises:
279
            CredentialUnavailableError: Required environment variables are not set
280
        """
281
```
282

283
**Usage Example:**
284

285
```python
286
import os
287
from azure.identity import EnvironmentCredential
288

289
# Set environment variables for service principal authentication
290
os.environ["AZURE_TENANT_ID"] = "your-tenant-id"
291
os.environ["AZURE_CLIENT_ID"] = "your-client-id"  
292
os.environ["AZURE_CLIENT_SECRET"] = "your-client-secret"
293

294
# Create credential - automatically detects service principal from env vars
295
credential = EnvironmentCredential()
296

297
# Or set certificate-based authentication
298
os.environ["AZURE_CLIENT_CERTIFICATE_PATH"] = "/path/to/certificate.pem"
299
cert_credential = EnvironmentCredential()
300
```
301

302
## Common Parameters
303

304
All core credentials support these common parameters:
305

306
```python { .api }
307
# Authority specification
308
authority: Optional[str] = None  # Default: "https://login.microsoftonline.com"
309

310
# Token caching options  
311
cache_persistence_options: Optional[TokenCachePersistenceOptions] = None
312

313
# Instance discovery settings
314
disable_instance_discovery: bool = False
315

316
# Multi-tenant support
317
additionally_allowed_tenants: List[str] = None
318

319
# Logging and debugging
320
enable_support_logging: bool = False
321
```
322

323
### Environment Variables Reference
324

325
```python { .api }
326
# Core authentication variables
327
AZURE_TENANT_ID: str          # Microsoft Entra tenant ID
328
AZURE_CLIENT_ID: str          # Application client ID
329
AZURE_CLIENT_SECRET: str      # Client secret for service principal auth
330

331
# Certificate authentication variables  
332
AZURE_CLIENT_CERTIFICATE_PATH: str      # Path to certificate file (PEM/PKCS12)
333
AZURE_CLIENT_CERTIFICATE_PASSWORD: str  # Certificate password (optional)
334

335
# Username/password authentication variables
336
AZURE_USERNAME: str           # Username for user authentication
337
AZURE_PASSWORD: str           # Password for user authentication
338

339
# Authority and region settings
340
AZURE_AUTHORITY_HOST: str             # Authority host (default: login.microsoftonline.com)
341
AZURE_REGIONAL_AUTHORITY_NAME: str    # Regional authority name
342

343
# Workload identity variables
344
AZURE_FEDERATED_TOKEN_FILE: str  # Path to federated token file for workload identity
345

346
# Managed identity endpoint variables  
347
IDENTITY_ENDPOINT: str        # Managed identity endpoint URL
348
IDENTITY_HEADER: str          # Managed identity request header
349
MSI_ENDPOINT: str             # Legacy managed identity endpoint
350
MSI_SECRET: str               # Legacy managed identity secret
351
```

Version

Tile

Files

core-credentials.md.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}docs/

core-credentials.mddocs/