tessl/pypi-azure-mgmt-authorization
Microsoft Azure Authorization Management Client Library for Python providing RBAC, PIM, and access control capabilities
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
auth-config.mddocs/
Authentication and Configuration
Azure authentication patterns, client initialization options, and configuration management for optimal SDK usage across different Azure environments. This covers credential management, client configuration, and best practices for secure and efficient authorization management operations.
Capabilities
Client Initialization
Configure and initialize the AuthorizationManagementClient with appropriate credentials and settings.
class AuthorizationManagementClient:
def __init__(
self,
credential: TokenCredential,
subscription_id: str,
api_version: Optional[str] = None,
base_url: str = "https://management.azure.com",
profile: KnownProfiles = KnownProfiles.default,
**kwargs
):
"""
Initialize the Azure Authorization Management client.
Parameters:
- credential: Azure credential object implementing TokenCredential interface
- subscription_id: Azure subscription ID for resource management
- api_version: Specific API version to use (optional, defaults to latest stable)
- base_url: Azure management endpoint URL
- profile: API version profile for operation groups
- kwargs: Additional configuration options
"""
def close(self) -> None:
"""Close the client and release resources."""
def __enter__(self):
"""Enter context manager."""
def __exit__(self, *exc_details):
"""Exit context manager and clean up resources."""Credential Management
Support for various Azure authentication methods and credential types.
# DefaultAzureCredential - Recommended for most scenarios
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
# ClientSecretCredential - For service principal authentication
from azure.identity import ClientSecretCredential
credential = ClientSecretCredential(
tenant_id="tenant-id",
client_id="client-id",
client_secret="client-secret"
)
# ManagedIdentityCredential - For Azure resources
from azure.identity import ManagedIdentityCredential
credential = ManagedIdentityCredential(client_id="managed-identity-client-id")
# InteractiveBrowserCredential - For interactive scenarios
from azure.identity import InteractiveBrowserCredential
credential = InteractiveBrowserCredential(tenant_id="tenant-id")
# AzureCliCredential - Using Azure CLI authentication
from azure.identity import AzureCliCredential
credential = AzureCliCredential()Configuration Options
Advanced client configuration for optimal performance and behavior customization.
class AuthorizationManagementClientConfiguration:
def __init__(
self,
credential: TokenCredential,
subscription_id: str,
**kwargs
):
"""
Configuration for the AuthorizationManagementClient.
Parameters:
- credential: Azure credential
- subscription_id: Azure subscription ID
- kwargs: Additional configuration options including:
- polling_interval: Default polling interval for long-running operations
- retry_policy: Custom retry policy configuration
- logging_policy: Logging configuration
- user_agent_policy: Custom user agent settings
- proxy_policy: Proxy configuration
- authentication_policy: Authentication behavior settings
"""Multi-API Version Support
Leverage specific API versions for different operation groups or use the latest profile.
# Using default profile with latest stable versions
client = AuthorizationManagementClient(credential, subscription_id)
# Using specific API version for all operations
client = AuthorizationManagementClient(
credential,
subscription_id,
api_version="2022-04-01"
)
# Using custom profile for mixed API versions
from azure.profiles import ProfileDefinition
custom_profile = ProfileDefinition({
"azure.mgmt.authorization.AuthorizationManagementClient": {
None: "2022-04-01",
'access_review_schedule_definitions': '2021-12-01-preview',
'role_assignment_schedules': '2020-10-01',
'alerts': '2022-08-01-preview'
}
})
client = AuthorizationManagementClient(
credential,
subscription_id,
profile=custom_profile
)Async Client Support
Use async operations for better performance in async applications.
from azure.mgmt.authorization.aio import AuthorizationManagementClient
async def manage_roles_async():
"""Example of async client usage."""
async with AuthorizationManagementClient(
credential=credential,
subscription_id=subscription_id
) as client:
# Async operations
role_assignments = []
async for assignment in client.role_assignments.list_for_subscription():
role_assignments.append(assignment)
return role_assignmentsUsage Examples
Basic Client Setup
from azure.mgmt.authorization import AuthorizationManagementClient
from azure.identity import DefaultAzureCredential
# Simple setup with default credentials
credential = DefaultAzureCredential()
client = AuthorizationManagementClient(
credential=credential,
subscription_id="your-subscription-id"
)
# Use the client
role_assignments = list(client.role_assignments.list_for_subscription())
print(f"Found {len(role_assignments)} role assignments")
# Always close the client
client.close()Context Manager Usage
# Recommended: Use context manager for automatic cleanup
with AuthorizationManagementClient(credential, subscription_id) as client:
# Client operations
role_definitions = list(client.role_definitions.list(
scope="/subscriptions/your-subscription-id"
))
for role_def in role_definitions:
print(f"Role: {role_def.role_name}")
print(f"Type: {role_def.role_type}")
# Client is automatically closed when exiting the contextService Principal Authentication
from azure.identity import ClientSecretCredential
# Service principal authentication for automated scenarios
credential = ClientSecretCredential(
tenant_id="your-tenant-id",
client_id="your-app-id",
client_secret="your-app-secret"
)
client = AuthorizationManagementClient(
credential=credential,
subscription_id="your-subscription-id"
)
# Service principal can now perform authorized operations
permissions = client.permissions.list_for_resource_group("my-resource-group")Managed Identity Authentication
from azure.identity import ManagedIdentityCredential
# For Azure resources (VMs, App Service, Functions, etc.)
credential = ManagedIdentityCredential()
client = AuthorizationManagementClient(
credential=credential,
subscription_id="your-subscription-id"
)
# Managed identity operations
deny_assignments = list(client.deny_assignments.list_for_subscription())Custom Configuration
from azure.core.pipeline.policies import RetryPolicy
import logging
# Configure logging
logging.basicConfig(level=logging.DEBUG)
# Custom retry policy
retry_policy = RetryPolicy(
retry_total=5,
retry_backoff_factor=1.0,
retry_status_forcelist=[500, 502, 503, 504]
)
# Client with custom configuration
client = AuthorizationManagementClient(
credential=credential,
subscription_id=subscription_id,
logging_enable=True,
retry_policy=retry_policy,
polling_interval=30 # 30 seconds for long-running operations
)Multi-Subscription Management
subscriptions = [
"subscription-1-id",
"subscription-2-id",
"subscription-3-id"
]
# Manage multiple subscriptions
for sub_id in subscriptions:
with AuthorizationManagementClient(credential, sub_id) as client:
print(f"\n=== Subscription: {sub_id} ===")
# List role assignments for each subscription
assignments = list(client.role_assignments.list_for_subscription())
print(f"Role assignments: {len(assignments)}")
# List alerts for each subscription
alerts = list(client.alerts.list_for_scope(f"/subscriptions/{sub_id}"))
print(f"Security alerts: {len(alerts)}")Environment-Specific Configuration
import os
# Configuration based on environment
environment = os.getenv("ENVIRONMENT", "development")
if environment == "production":
# Production configuration
client = AuthorizationManagementClient(
credential=ManagedIdentityCredential(), # Use managed identity
subscription_id=os.getenv("PROD_SUBSCRIPTION_ID"),
base_url="https://management.azure.com",
logging_enable=False # Disable verbose logging
)
elif environment == "development":
# Development configuration
client = AuthorizationManagementClient(
credential=AzureCliCredential(), # Use CLI credentials
subscription_id=os.getenv("DEV_SUBSCRIPTION_ID"),
logging_enable=True, # Enable debugging
api_version="2022-04-01" # Pin to specific version
)Types
Authentication Types
from azure.core.credentials import TokenCredential
from azure.identity import (
DefaultAzureCredential,
ClientSecretCredential,
CertificateCredential,
ManagedIdentityCredential,
InteractiveBrowserCredential,
DeviceCodeCredential,
AzureCliCredential,
EnvironmentCredential,
SharedTokenCacheCredential
)
# TokenCredential interface - base for all credentials
class TokenCredential(Protocol):
def get_token(self, *scopes: str, **kwargs) -> AccessToken: ...
class AccessToken:
token: str
expires_on: intConfiguration Types
from azure.profiles import KnownProfiles, ProfileDefinition
from azure.core.pipeline.policies import (
RetryPolicy,
RedirectPolicy,
ProxyPolicy,
UserAgentPolicy,
HeadersPolicy
)
class KnownProfiles:
default: ProfileDefinition
latest: ProfileDefinition
class RetryPolicy:
def __init__(
self,
retry_total: int = 10,
retry_connect: int = 3,
retry_read: int = 3,
retry_status: int = 3,
retry_backoff_factor: float = 0.8,
retry_backoff_max: int = 120,
retry_status_forcelist: Optional[List[int]] = None,
retry_method_whitelist: Optional[List[str]] = None
): ...Pipeline Configuration Types
from azure.core.pipeline import Pipeline
from azure.mgmt.core import ARMPipelineClient
class ARMPipelineClient:
def __init__(
self,
base_url: str,
config: Any,
**kwargs
): ...
# Common pipeline policies
class AuthenticationPolicy: ...
class BearerTokenCredentialPolicy: ...
class RequestIdPolicy: ...
class CustomHookPolicy: ...
class NetworkTraceLoggingPolicy: ...
class HttpLoggingPolicy: ...Constants
Authentication Scopes
class AuthenticationScopes:
MANAGEMENT = "https://management.azure.com/.default"
GRAPH = "https://graph.microsoft.com/.default"
VAULT = "https://vault.azure.net/.default"
STORAGE = "https://storage.azure.com/.default"
# Default scope for Authorization Management
DEFAULT_SCOPE = "https://management.azure.com/.default"Azure Endpoints
class AzureEndpoints:
# Azure Public Cloud
PUBLIC_CLOUD = "https://management.azure.com"
# Azure Government Cloud
GOVERNMENT_CLOUD = "https://management.usgovcloudapi.net"
# Azure China Cloud
CHINA_CLOUD = "https://management.chinacloudapi.cn"
# Azure German Cloud (deprecated)
GERMAN_CLOUD = "https://management.microsoftazure.de"API Versions
class SupportedApiVersions:
# Latest stable
LATEST_STABLE = "2022-04-01"
# Core RBAC versions
RBAC_2022_04_01 = "2022-04-01"
RBAC_2020_10_01 = "2020-10-01"
RBAC_2018_01_01_PREVIEW = "2018-01-01-preview"
# PIM versions
PIM_2020_10_01 = "2020-10-01"
PIM_2020_10_01_PREVIEW = "2020-10-01-preview"
# Access Reviews versions
ACCESS_REVIEWS_2021_12_01_PREVIEW = "2021-12-01-preview"
ACCESS_REVIEWS_2021_07_01_PREVIEW = "2021-07-01-preview"
# Alerts versions
ALERTS_2022_08_01_PREVIEW = "2022-08-01-preview"Error Handling
Common Authentication Errors
from azure.core.exceptions import (
ClientAuthenticationError,
HttpResponseError,
ServiceRequestError
)
from azure.identity import CredentialUnavailableError
# Authentication-specific exceptions
try:
client = AuthorizationManagementClient(credential, subscription_id)
roles = list(client.role_definitions.list(scope))
except ClientAuthenticationError as e:
print(f"Authentication failed: {e.message}")
# Handle: Check credentials, token expiry, permissions
except CredentialUnavailableError as e:
print(f"Credential unavailable: {e.message}")
# Handle: Credential source not available (CLI not logged in, etc.)
except HttpResponseError as e:
if e.status_code == 401:
print("Unauthorized - check credentials and permissions")
elif e.status_code == 403:
print("Forbidden - insufficient permissions")Configuration Validation
def validate_client_config(credential, subscription_id):
"""Validate client configuration before use."""
try:
# Test credential by getting a token
token = credential.get_token("https://management.azure.com/.default")
if not token.token:
raise ValueError("Unable to obtain access token")
# Validate subscription ID format
if not subscription_id or len(subscription_id) != 36:
raise ValueError("Invalid subscription ID format")
# Test client connectivity
with AuthorizationManagementClient(credential, subscription_id) as client:
# Simple operation to verify connectivity
list(client.role_definitions.list(
scope=f"/subscriptions/{subscription_id}",
filter="$top=1"
))
return True
except Exception as e:
print(f"Client configuration validation failed: {e}")
return FalseBest Practices
Security Best Practices
- Use Managed Identity: Prefer managed identity over service principals when running on Azure
- Rotate Credentials: Regularly rotate service principal secrets and certificates
- Least Privilege: Grant minimum required permissions to service principals
- Secure Storage: Never store credentials in code or configuration files
- Environment Variables: Use secure environment variables or Azure Key Vault for secrets
Performance Best Practices
- Connection Reuse: Use context managers or explicitly close clients
- Async Operations: Use async client for high-throughput scenarios
- Filtering: Use OData filters to reduce data transfer
- Pagination: Handle large result sets with proper pagination
- Caching: Cache role definitions and other static data when appropriate
Error Handling Best Practices
- Retry Logic: Implement proper retry logic for transient failures
- Exponential Backoff: Use exponential backoff for retry attempts
- Circuit Breaker: Implement circuit breaker pattern for external dependencies
- Logging: Log authentication events and errors for debugging
- Monitoring: Monitor authentication failures and credential expiry
Install with Tessl CLI
npx tessl i tessl/pypi-azure-mgmt-authorization