Class DefaultAzureCredentialBuilder
- All Implemented Interfaces:
com.azure.core.client.traits.HttpTrait<DefaultAzureCredentialBuilder>
Fluent credential builder for instantiating a DefaultAzureCredential
.
The DefaultAzureCredential
is appropriate for most scenarios where the application is intended to
ultimately be run in Azure. DefaultAzureCredential combines credentials that are commonly used to authenticate when
deployed, with credentials that are used to authenticate in a development environment.
The DefaultAzureCredential
will attempt to authenticate via the following mechanisms in order.
Sample: Construct DefaultAzureCredential
The following code sample demonstrates the creation of a DefaultAzureCredential
, using
the DefaultAzureCredentialBuilder to configure it. Once this credential is created, it may be passed into the
builder of many of the Azure SDK for Java client builders as the 'credential' parameter.
TokenCredential defaultAzureCredential = new DefaultAzureCredentialBuilder() .build();
Sample: Construct DefaultAzureCredential with User Assigned Managed Identity
User-Assigned Managed Identity (UAMI) in Azure is a feature that allows you to create an identity in
Microsoft Entra ID that is
associated with one or more Azure resources. This identity can then be used to authenticate and
authorize access to various Azure services and resources. The following code sample demonstrates the creation of
a DefaultAzureCredential
to target a user assigned managed identity, using the DefaultAzureCredentialBuilder
to configure it. Once this credential is created, it may be passed into the builder of many of the
Azure SDK for Java client builders as the 'credential' parameter.
TokenCredential dacWithUserAssignedManagedIdentity = new DefaultAzureCredentialBuilder() .managedIdentityClientId("<Managed-Identity-Client-Id") .build();
- See Also:
-
Constructor Summary
ConstructorDescriptionCreates an instance of a DefaultAzureCredentialBuilder. -
Method Summary
Modifier and TypeMethodDescriptionadditionallyAllowedTenants
(String... additionallyAllowedTenants) For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens.additionallyAllowedTenants
(List<String> additionallyAllowedTenants) For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens.authorityHost
(String authorityHost) Specifies the Microsoft Entra endpoint to acquire tokens.build()
Creates newDefaultAzureCredential
with the configured options set.credentialProcessTimeout
(Duration credentialProcessTimeout) Specifies aDuration
timeout for developer credentials (such as Azure CLI) that rely on separate process invocations.Disables the setting which determines whether or not instance discovery is performed when attempting to authenticate.executorService
(ExecutorService executorService) Specifies the ExecutorService to be used to execute the authentication requests.intelliJKeePassDatabasePath
(String databasePath) Specifies the KeePass database path to read the cached credentials of Azure toolkit for IntelliJ plugin.managedIdentityClientId
(String clientId) Specifies the client ID of user assigned or system assigned identity, when this credential is running in an environment with managed identities.managedIdentityResourceId
(String resourceId) Specifies the resource ID of user assigned or system assigned identity, when this credential is running in an environment with managed identities.Sets the tenant id of the user to authenticate through theDefaultAzureCredential
.workloadIdentityClientId
(String clientId) Specifies the client ID of Microsoft Entra app to be used for AKS workload identity authentication.Methods inherited from class com.azure.identity.CredentialBuilderBase
addPolicy, clientOptions, configuration, enableAccountIdentifierLogging, httpClient, httpLogOptions, httpPipeline, maxRetry, pipeline, proxyOptions, retryOptions, retryPolicy, retryTimeout
-
Constructor Details
-
DefaultAzureCredentialBuilder
public DefaultAzureCredentialBuilder()Creates an instance of a DefaultAzureCredentialBuilder.
-
-
Method Details
-
tenantId
Sets the tenant id of the user to authenticate through theDefaultAzureCredential
. If unset, the value in the AZURE_TENANT_ID environment variable will be used. If neither is set, the default is null and will authenticate users to their default tenant.- Parameters:
tenantId
- the tenant ID to set.- Returns:
- An updated instance of this builder with the tenant id set as specified.
-
authorityHost
Specifies the Microsoft Entra endpoint to acquire tokens.- Parameters:
authorityHost
- the Microsoft Entra endpoint- Returns:
- An updated instance of this builder with the authority host set as specified.
-
intelliJKeePassDatabasePath
Specifies the KeePass database path to read the cached credentials of Azure toolkit for IntelliJ plugin. ThedatabasePath
is required on Windows platform. For macOS and Linux platform native key chain / key ring will be accessed respectively to retrieve the cached credentials.This path can be located in the IntelliJ IDE. Windows: File -> Settings -> Appearance & Behavior -> System Settings -> Passwords.
- Parameters:
databasePath
- the path to the KeePass database.- Returns:
- An updated instance of this builder with the KeePass database path set as specified.
- Throws:
IllegalArgumentException
- ifdatabasePath
is either not specified or is empty.
-
managedIdentityClientId
Specifies the client ID of user assigned or system assigned identity, when this credential is running in an environment with managed identities. If unset, the value in the AZURE_CLIENT_ID environment variable will be used. If neither is set, the default value is null and will only work with system assigned managed identities and not user assigned managed identities. Only one of managedIdentityClientId and managedIdentityResourceId can be specified.- Parameters:
clientId
- the client ID- Returns:
- the DefaultAzureCredentialBuilder itself
-
workloadIdentityClientId
Specifies the client ID of Microsoft Entra app to be used for AKS workload identity authentication. if unset,managedIdentityClientId(String)
will be used. If both values are unset, the value in the AZURE_CLIENT_ID environment variable will be used. If none are set, the default value is null and Workload Identity authentication will not be attempted.- Parameters:
clientId
- the client ID- Returns:
- the DefaultAzureCredentialBuilder itself
-
managedIdentityResourceId
Specifies the resource ID of user assigned or system assigned identity, when this credential is running in an environment with managed identities. If unset, the value in the AZURE_CLIENT_ID environment variable will be used. If neither is set, the default value is null and will only work with system assigned managed identities and not user assigned managed identities. Only one of managedIdentityResourceId and managedIdentityClientId can be specified.- Parameters:
resourceId
- the resource ID- Returns:
- the DefaultAzureCredentialBuilder itself
-
executorService
Specifies the ExecutorService to be used to execute the authentication requests. Developer is responsible for maintaining the lifecycle of the ExecutorService.If this is not configured, the
common fork join pool
will be used which is also shared with other application tasks. If the common pool is heavily used for other tasks, authentication requests might starve and setting up this executor service should be considered.The executor service and can be safely shutdown if the TokenCredential is no longer being used by the Azure SDK clients and should be shutdown before the application exits.
- Parameters:
executorService
- the executor service to use for executing authentication requests.- Returns:
- An updated instance of this builder with the executor service set as specified.
-
additionallyAllowedTenants
public DefaultAzureCredentialBuilder additionallyAllowedTenants(String... additionallyAllowedTenants) For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application is installed.- Parameters:
additionallyAllowedTenants
- the additionally allowed tenants.- Returns:
- An updated instance of this builder with the tenant id set as specified.
-
additionallyAllowedTenants
public DefaultAzureCredentialBuilder additionallyAllowedTenants(List<String> additionallyAllowedTenants) For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application is installed.- Parameters:
additionallyAllowedTenants
- the additionally allowed tenants.- Returns:
- An updated instance of this builder with the tenant id set as specified.
-
credentialProcessTimeout
Specifies aDuration
timeout for developer credentials (such as Azure CLI) that rely on separate process invocations.- Parameters:
credentialProcessTimeout
- TheDuration
to wait.- Returns:
- An updated instance of this builder with the timeout specified.
-
disableInstanceDiscovery
Disables the setting which determines whether or not instance discovery is performed when attempting to authenticate. This will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By utilizing this API, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.- Returns:
- An updated instance of this builder with instance discovery disabled.
-
build
Creates newDefaultAzureCredential
with the configured options set.- Returns:
- a
DefaultAzureCredential
with the current configurations. - Throws:
IllegalStateException
- if clientId and resourceId are both set.
-