Class DefaultAzureCredential

java.lang.Object
com.azure.identity.ChainedTokenCredential
com.azure.identity.DefaultAzureCredential
All Implemented Interfaces:
com.azure.core.credential.TokenCredential

public final class DefaultAzureCredential extends ChainedTokenCredential

The DefaultAzureCredential is appropriate for most scenarios where the application is intended to ultimately be run in Azure. DefaultAzureCredential combines credentials that are commonly used to authenticate when deployed, with credentials that are used to authenticate in a development environment. The DefaultAzureCredential will attempt to authenticate via the following mechanisms in order.

  1. EnvironmentCredential - The DefaultAzureCredential will read account information specified via environment variables and use it to authenticate.
  2. WorkloadIdentityCredential - If the app is deployed on Kubernetes with environment variables set by the workload identity webhook, DefaultAzureCredential will authenticate the configured identity.
  3. ManagedIdentityCredential - If the application deploys to an Azure host with Managed Identity enabled, the DefaultAzureCredential will authenticate with that account.
  4. IntelliJCredential - If you've authenticated via Azure Toolkit for IntelliJ, the DefaultAzureCredential will authenticate with that account.
  5. AzureCliCredential - If you've authenticated an account via the Azure CLI az login command, the DefaultAzureCredential will authenticate with that account.
  6. AzurePowerShellCredential - If you've authenticated an account via the Azure Power Shell Az Login command, the DefaultAzureCredential will authenticate with that account.
  7. Fails if none of the credentials above could be created.

For more information refer to the default azure credential authentication docs.

Configure DefaultAzureCredential

DefaultAzureCredential supports a set of configurations through setters on the DefaultAzureCredentialBuilder or environment variables.

  1. Setting the environment variables AZURE_CLIENT_ID, AZURE_CLIENT_SECRET/AZURE_CLIENT_CERTIFICATE_PATH, and AZURE_TENANT_ID configures the DefaultAzureCredential to authenticate as the service principal specified by the values.
  2. Setting DefaultAzureCredentialBuilder.managedIdentityClientId(String) on the builder or the environment variable AZURE_CLIENT_ID configures the DefaultAzureCredential to authenticate as a user-defined managed identity, while leaving them empty configures it to authenticate as a system-assigned managed identity.
  3. Setting DefaultAzureCredentialBuilder.tenantId(String) on the builder or the environment variable AZURE_TENANT_ID configures the DefaultAzureCredential to authenticate to a specific tenant for Visual Studio Code, and IntelliJ IDEA.

Sample: Construct DefaultAzureCredential

The following code sample demonstrates the creation of a DefaultAzureCredential, using the DefaultAzureCredentialBuilder to configure it. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

 TokenCredential defaultAzureCredential = new DefaultAzureCredentialBuilder()
     .build();
 

Sample: Construct DefaultAzureCredential with User Assigned Managed Identity

User-Assigned Managed Identity (UAMI) in Azure is a feature that allows you to create an identity in Microsoft Entra ID that is associated with one or more Azure resources. This identity can then be used to authenticate and authorize access to various Azure services and resources. The following code sample demonstrates the creation of a DefaultAzureCredential to target a user assigned managed identity, using the DefaultAzureCredentialBuilder to configure it. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

 TokenCredential dacWithUserAssignedManagedIdentity = new DefaultAzureCredentialBuilder()
     .managedIdentityClientId("<Managed-Identity-Client-Id")
     .build();
 
See Also: