azure-identity
Microsoft Azure Identity Library for Python
Description
Azure Identity client library for Python
The Azure Identity library provides Microsoft Entra ID token-based authentication support across the Azure SDK. It provides a set of [TokenCredential][token_cred_ref]/[SupportsTokenInfo][supports_token_info_ref] implementations, which can be used to construct Azure SDK clients that support Microsoft Entra token authentication.
Source code | Package (PyPI) | Package (Conda) | [API reference documentation][ref_docs] | Microsoft Entra ID documentation
Getting started
Install the package
Install Azure Identity with pip:
pip install azure-identity
Prerequisites
- An Azure subscription
- Python 3.9 or a recent version of Python 3 (this library doesn't support end-of-life versions)
Authenticate the client
When debugging and executing code locally, it's typical for a developer to use their own account for authenticating calls to Azure services. There are several developer tools that can be used to perform this authentication in your development environment. For more information, see Authentication during local development.
Key concepts
Credentials
A credential is a class that contains or can obtain the data needed for a service client to authenticate requests. Service clients across the Azure SDK accept a credential instance when they're constructed, and use that credential to authenticate requests.
The Azure Identity library focuses on OAuth authentication with Microsoft Entra ID. It offers various credential classes capable of acquiring a Microsoft Entra access token. See the Credential classes section for a list of this library's credential classes.
DefaultAzureCredential
DefaultAzureCredential simplifies authentication while developing apps that deploy to Azure by combining credentials used in Azure hosting environments with credentials used in local development. For more information, see [DefaultAzureCredential overview][dac_overview].
Continuation policy
As of version 1.14.0, DefaultAzureCredential attempts to authenticate with all developer credentials until one succeeds, regardless of any errors previous developer credentials experienced. For example, a developer credential may attempt to get a token and fail, so DefaultAzureCredential will continue to the next credential in the flow. Deployed service credentials stop the flow with a thrown exception if they're able to attempt token retrieval, but don't receive one. Prior to version 1.14.0, developer credentials would similarly stop the authentication flow if token retrieval failed, but this is no longer the case.
This allows for trying all of the developer credentials on your machine while having predictable deployed behavior.
Examples
The following examples are provided:
Define a custom authentication flow with ChainedTokenCredential
While DefaultAzureCredential is generally the quickest way to authenticate apps for Azure, you can create a customized chain of credentials to be considered. ChainedTokenCredential enables users to combine multiple credential instances to define a customized chain of credentials. For more information, see [ChainedTokenCredential overview][ctc_overview].
Async credentials
This library includes a set of async APIs. To use the async credentials in [azure.identity.aio][ref_docs_aio], you must first install an async transport, such as aiohttp. For more information, see [azure-core documentation][azure_core_transport_doc].
Async credentials should be closed when they're no longer needed. Each async credential is an async context manager and defines an async close method. For example:
from azure.identity.aio import DefaultAzureCredential
# call close when the credential is no longer needed
credential = DefaultAzureCredential()
...
await credential.close()
# alternatively, use the credential as an async context manager
credential = DefaultAzureCredential()
async with credential:
...
This example demonstrates authenticating the asynchronous SecretClient from [azure-keyvault-secrets][azure_keyvault_secrets] with an asynchronous credential.
from azure.identity.aio import DefaultAzureCredential
from azure.keyvault.secrets.aio import SecretClient
default_credential = DefaultAzureCredential()
client = SecretClient("https://my-vault.vault.azure.net", default_credential)
Managed identity support
Managed identity authentication is supported either indirectly via DefaultAzureCredential or directly via ManagedIdentityCredential for the following Azure services:
- Azure App Service and Azure Functions
- Azure Arc
- Azure Cloud Shell
- Azure Kubernetes Service
- Azure Service Fabric
- Azure Virtual Machines
- Azure Virtual Machines Scale Sets
Cloud configuration
Credentials default to authenticating to the Microsoft Entra endpoint for Azure Public Cloud. To access resources in other clouds, such as Azure Government or a private cloud, configure credentials with the authority argument. AzureAuthorityHosts defines authorities for well-known clouds:
from azure.identity import AzureAuthorityHosts
DefaultAzureCredential(authority=AzureAuthorityHosts.AZURE_GOVERNMENT)
If the authority for your cloud isn't listed in AzureAuthorityHosts, you can explicitly specify its URL:
DefaultAzureCredential(authority="https://login.partner.microsoftonline.cn")
As an alternative to specifying the authority argument, you can also set the AZURE_AUTHORITY_HOST environment variable to the URL of your cloud's authority. This approach is useful when configuring multiple credentials to authenticate to the same cloud:
AZURE_AUTHORITY_HOST=https://login.partner.microsoftonline.cn
Not all credentials require this configuration. Credentials that authenticate through a development tool, such as AzureCliCredential, use that tool's configuration.
Credential classes
Credential chains
| Credential | Usage | Reference |
|---|---|---|
[DefaultAzureCredential][default_cred_ref] | Provides a simplified authentication experience to quickly start developing applications run in Azure. | [DefaultAzureCredential overview][dac_overview] |
[ChainedTokenCredential][chain_cred_ref] | Allows users to define custom authentication flows composing multiple credentials. | [ChainedTokenCredential overview][ctc_overview] |
Authenticate Azure-hosted applications
| Credential | Usage | Reference |
|---|---|---|
[EnvironmentCredential][environment_cred_ref] | Authenticates a service principal or user via credential information specified in environment variables. | |
[ManagedIdentityCredential][managed_id_cred_ref] | Authenticates the managed identity of an Azure resource. | [user-assigned managed identity][uami_doc]<br>[system-assigned managed identity][sami_doc] |
[WorkloadIdentityCredential][workload_id_cred_ref] | Supports Microsoft Entra Workload ID on Kubernetes. |
Authenticate service principals
| Credential | Usage