tessl/pypi-azure-identity
Microsoft Azure Identity Library providing authentication credentials for Azure SDK clients.
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
core-credentials.mddocs/
Core Credentials
Essential credential classes providing the foundation of Azure authentication. These credentials implement the intelligent DefaultAzureCredential pattern and credential chaining capabilities that automatically adapt to different deployment environments.
Capabilities
DefaultAzureCredential
The recommended credential for most Azure applications. Implements an intelligent credential chain that automatically detects the authentication method available in the current environment, enabling zero-configuration authentication across local development, CI/CD, and production deployments.
class DefaultAzureCredential:
def __init__(
self,
*,
authority: Optional[str] = None,
exclude_workload_identity_credential: bool = False,
exclude_developer_cli_credential: bool = False,
exclude_cli_credential: bool = False,
exclude_environment_credential: bool = False,
exclude_managed_identity_credential: bool = False,
exclude_powershell_credential: bool = False,
exclude_visual_studio_code_credential: bool = True,
exclude_shared_token_cache_credential: bool = False,
exclude_interactive_browser_credential: bool = True,
exclude_broker_credential: bool = False,
interactive_browser_tenant_id: Optional[str] = None,
broker_tenant_id: Optional[str] = None,
managed_identity_client_id: Optional[str] = None,
workload_identity_client_id: Optional[str] = None,
workload_identity_tenant_id: Optional[str] = None,
interactive_browser_client_id: Optional[str] = None,
broker_client_id: Optional[str] = None,
shared_cache_username: Optional[str] = None,
shared_cache_tenant_id: Optional[str] = None,
visual_studio_code_tenant_id: Optional[str] = None,
process_timeout: int = 10,
**kwargs
):
"""
Create a DefaultAzureCredential instance that attempts authentication via multiple methods.
Attempts credentials in this order:
1. EnvironmentCredential
2. WorkloadIdentityCredential (if not excluded)
3. ManagedIdentityCredential (if not excluded)
4. SharedTokenCacheCredential (if not excluded)
5. VisualStudioCodeCredential (if not excluded, excluded by default)
6. AzureCliCredential (if not excluded)
7. AzurePowerShellCredential (if not excluded)
8. AzureDeveloperCliCredential (if not excluded)
9. InteractiveBrowserCredential (if not excluded, excluded by default)
Args:
authority: Authority of a Microsoft Entra endpoint. Default: login.microsoftonline.com
exclude_workload_identity_credential: Exclude workload identity credential from the chain
exclude_developer_cli_credential: Exclude Azure Developer CLI credential
exclude_cli_credential: Exclude Azure CLI credential
exclude_environment_credential: Exclude environment variables credential
exclude_managed_identity_credential: Exclude managed identity credential
exclude_powershell_credential: Exclude Azure PowerShell credential
exclude_visual_studio_code_credential: Exclude VS Code credential (excluded by default)
exclude_shared_token_cache_credential: Exclude shared token cache credential
exclude_interactive_browser_credential: Exclude interactive browser credential (excluded by default)
exclude_broker_credential: Exclude broker credential
interactive_browser_tenant_id: Tenant ID for interactive browser authentication
broker_tenant_id: Tenant ID for brokered authentication
managed_identity_client_id: Client ID for user-assigned managed identity
workload_identity_client_id: Client ID for workload identity
workload_identity_tenant_id: Tenant ID for workload identity
interactive_browser_client_id: Client ID for interactive browser authentication
broker_client_id: Client ID for broker authentication
shared_cache_username: Username for shared token cache
shared_cache_tenant_id: Tenant ID for shared token cache
visual_studio_code_tenant_id: Tenant ID for VS Code authentication
process_timeout: Timeout in seconds for developer credential processes
"""
def get_token(self, *scopes: str, claims: Optional[str] = None, tenant_id: Optional[str] = None, **kwargs) -> AccessToken:
"""
Request an access token for the specified scopes.
Args:
*scopes: Desired scopes for the access token
claims: Additional claims required in the token
tenant_id: Optional tenant ID override
Returns:
AccessToken: The access token with expiration information
Raises:
CredentialUnavailableError: No credential in the chain can authenticate
AuthenticationRequiredError: Interactive authentication is required
"""
def get_token_info(self, *scopes: str, options: Optional[dict] = None) -> dict:
"""
Request access token with additional information.
Args:
*scopes: Desired scopes for the access token
options: Additional options for token acquisition
Returns:
dict: Token information including access token and metadata
"""Usage Example:
from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
# Zero-configuration - works in development and production
credential = DefaultAzureCredential()
# Use with any Azure SDK client
client = SecretClient(
vault_url="https://vault.vault.azure.net/",
credential=credential
)
# Customized configuration excluding certain credential types
dev_credential = DefaultAzureCredential(
exclude_managed_identity_credential=True, # Skip managed identity in local dev
exclude_interactive_browser_credential=False # Enable browser auth for development
)
# Production configuration with specific managed identity
prod_credential = DefaultAzureCredential(
managed_identity_client_id="your-user-assigned-identity-client-id",
exclude_cli_credential=True, # Skip CLI tools in production
exclude_powershell_credential=True
)ChainedTokenCredential
A configurable credential chain that attempts authentication using a sequence of credential instances in order until one succeeds. Provides full control over credential ordering and selection.
class ChainedTokenCredential:
def __init__(self, *credentials):
"""
Create a credential chain from the provided credentials.
Args:
*credentials: TokenCredential instances to try in order
Example:
credential = ChainedTokenCredential(
ManagedIdentityCredential(),
ClientSecretCredential(tenant_id, client_id, secret),
AzureCliCredential()
)
"""
def get_token(self, *scopes: str, claims: Optional[str] = None, tenant_id: Optional[str] = None, **kwargs) -> AccessToken:
"""
Request an access token using the first available credential in the chain.
Args:
*scopes: Desired scopes for the access token
claims: Additional claims required in the token
tenant_id: Optional tenant ID override
Returns:
AccessToken: The access token from the first successful credential
Raises:
CredentialUnavailableError: All credentials in the chain failed
"""
def get_token_info(self, *scopes: str, options: Optional[dict] = None) -> dict:
"""
Request access token with additional information using the first available credential.
Args:
*scopes: Desired scopes for the access token
options: Additional options for token acquisition
Returns:
dict: Token information from the first successful credential
"""Usage Example:
from azure.identity import (
ChainedTokenCredential,
ManagedIdentityCredential,
ClientSecretCredential,
AzureCliCredential
)
# Custom credential chain for specific application needs
credential = ChainedTokenCredential(
# Try managed identity first (production)
ManagedIdentityCredential(),
# Fallback to service principal (CI/CD)
ClientSecretCredential(
tenant_id="your-tenant-id",
client_id="your-client-id",
client_secret="your-client-secret"
),
# Fallback to Azure CLI (development)
AzureCliCredential()
)
# Use with Azure SDK clients
from azure.storage.blob import BlobServiceClient
blob_client = BlobServiceClient(
account_url="https://account.blob.core.windows.net",
credential=credential
)EnvironmentCredential
Authenticates using environment variables, supporting both service principal and user authentication patterns. Automatically detects the authentication method based on available environment variables.
class EnvironmentCredential:
def __init__(
self,
*,
authority: Optional[str] = None,
cache_persistence_options: Optional[TokenCachePersistenceOptions] = None,
disable_instance_discovery: bool = False,
additionally_allowed_tenants: List[str] = None,
**kwargs
):
"""
Create an EnvironmentCredential that authenticates using environment variables.
Supports these authentication patterns:
Service principal with client secret:
- AZURE_TENANT_ID: Tenant ID
- AZURE_CLIENT_ID: Client ID
- AZURE_CLIENT_SECRET: Client secret
Service principal with certificate:
- AZURE_TENANT_ID: Tenant ID
- AZURE_CLIENT_ID: Client ID
- AZURE_CLIENT_CERTIFICATE_PATH: Path to certificate file
- AZURE_CLIENT_CERTIFICATE_PASSWORD: Certificate password (optional)
User authentication with username/password:
- AZURE_TENANT_ID: Tenant ID (optional)
- AZURE_CLIENT_ID: Client ID
- AZURE_USERNAME: Username
- AZURE_PASSWORD: Password
Args:
authority: Authority of a Microsoft Entra endpoint
cache_persistence_options: Configuration for persistent token caching
disable_instance_discovery: Disable instance discovery and authority validation
additionally_allowed_tenants: Additional allowed tenants beyond the configured tenant
"""
def get_token(self, *scopes: str, claims: Optional[str] = None, tenant_id: Optional[str] = None, **kwargs) -> AccessToken:
"""
Request an access token for the specified scopes using environment variables.
Args:
*scopes: Desired scopes for the access token
claims: Additional claims required in the token
tenant_id: Optional tenant ID override
Returns:
AccessToken: The access token with expiration information
Raises:
CredentialUnavailableError: Required environment variables are not set
"""Usage Example:
import os
from azure.identity import EnvironmentCredential
# Set environment variables for service principal authentication
os.environ["AZURE_TENANT_ID"] = "your-tenant-id"
os.environ["AZURE_CLIENT_ID"] = "your-client-id"
os.environ["AZURE_CLIENT_SECRET"] = "your-client-secret"
# Create credential - automatically detects service principal from env vars
credential = EnvironmentCredential()
# Or set certificate-based authentication
os.environ["AZURE_CLIENT_CERTIFICATE_PATH"] = "/path/to/certificate.pem"
cert_credential = EnvironmentCredential()Common Parameters
All core credentials support these common parameters:
# Authority specification
authority: Optional[str] = None # Default: "https://login.microsoftonline.com"
# Token caching options
cache_persistence_options: Optional[TokenCachePersistenceOptions] = None
# Instance discovery settings
disable_instance_discovery: bool = False
# Multi-tenant support
additionally_allowed_tenants: List[str] = None
# Logging and debugging
enable_support_logging: bool = FalseEnvironment Variables Reference
# Core authentication variables
AZURE_TENANT_ID: str # Microsoft Entra tenant ID
AZURE_CLIENT_ID: str # Application client ID
AZURE_CLIENT_SECRET: str # Client secret for service principal auth
# Certificate authentication variables
AZURE_CLIENT_CERTIFICATE_PATH: str # Path to certificate file (PEM/PKCS12)
AZURE_CLIENT_CERTIFICATE_PASSWORD: str # Certificate password (optional)
# Username/password authentication variables
AZURE_USERNAME: str # Username for user authentication
AZURE_PASSWORD: str # Password for user authentication
# Authority and region settings
AZURE_AUTHORITY_HOST: str # Authority host (default: login.microsoftonline.com)
AZURE_REGIONAL_AUTHORITY_NAME: str # Regional authority name
# Workload identity variables
AZURE_FEDERATED_TOKEN_FILE: str # Path to federated token file for workload identity
# Managed identity endpoint variables
IDENTITY_ENDPOINT: str # Managed identity endpoint URL
IDENTITY_HEADER: str # Managed identity request header
MSI_ENDPOINT: str # Legacy managed identity endpoint
MSI_SECRET: str # Legacy managed identity secretInstall with Tessl CLI
npx tessl i tessl/pypi-azure-identity