Class DefaultAzureCredentialBuilder

All Implemented Interfaces:
com.azure.core.client.traits.HttpTrait<DefaultAzureCredentialBuilder>

public class DefaultAzureCredentialBuilder extends CredentialBuilderBase<DefaultAzureCredentialBuilder>

Fluent credential builder for instantiating a DefaultAzureCredential.

The DefaultAzureCredential is appropriate for most scenarios where the application is intended to ultimately be run in Azure. DefaultAzureCredential combines credentials that are commonly used to authenticate when deployed, with credentials that are used to authenticate in a development environment. The DefaultAzureCredential will attempt to authenticate via the following mechanisms in order.

Sample: Construct DefaultAzureCredential

The following code sample demonstrates the creation of a DefaultAzureCredential, using the DefaultAzureCredentialBuilder to configure it. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

 TokenCredential defaultAzureCredential = new DefaultAzureCredentialBuilder()
     .build();
 

Sample: Construct DefaultAzureCredential with User Assigned Managed Identity

User-Assigned Managed Identity (UAMI) in Azure is a feature that allows you to create an identity in Microsoft Entra ID that is associated with one or more Azure resources. This identity can then be used to authenticate and authorize access to various Azure services and resources. The following code sample demonstrates the creation of a DefaultAzureCredential to target a user assigned managed identity, using the DefaultAzureCredentialBuilder to configure it. Once this credential is created, it may be passed into the builder of many of the Azure SDK for Java client builders as the 'credential' parameter.

 TokenCredential dacWithUserAssignedManagedIdentity = new DefaultAzureCredentialBuilder()
     .managedIdentityClientId("<Managed-Identity-Client-Id")
     .build();
 
See Also:
  • Constructor Details

    • DefaultAzureCredentialBuilder

      public DefaultAzureCredentialBuilder()
      Creates an instance of a DefaultAzureCredentialBuilder.
  • Method Details

    • tenantId

      public DefaultAzureCredentialBuilder tenantId(String tenantId)
      Sets the tenant id of the user to authenticate through the DefaultAzureCredential. If unset, the value in the AZURE_TENANT_ID environment variable will be used. If neither is set, the default is null and will authenticate users to their default tenant.
      Parameters:
      tenantId - the tenant ID to set.
      Returns:
      An updated instance of this builder with the tenant id set as specified.
    • authorityHost

      public DefaultAzureCredentialBuilder authorityHost(String authorityHost)
      Specifies the Microsoft Entra endpoint to acquire tokens.
      Parameters:
      authorityHost - the Microsoft Entra endpoint
      Returns:
      An updated instance of this builder with the authority host set as specified.
    • intelliJKeePassDatabasePath

      public DefaultAzureCredentialBuilder intelliJKeePassDatabasePath(String databasePath)
      Specifies the KeePass database path to read the cached credentials of Azure toolkit for IntelliJ plugin. The databasePath is required on Windows platform. For macOS and Linux platform native key chain / key ring will be accessed respectively to retrieve the cached credentials.

      This path can be located in the IntelliJ IDE. Windows: File -> Settings -> Appearance & Behavior -> System Settings -> Passwords.

      Parameters:
      databasePath - the path to the KeePass database.
      Returns:
      An updated instance of this builder with the KeePass database path set as specified.
      Throws:
      IllegalArgumentException - if databasePath is either not specified or is empty.
    • managedIdentityClientId

      public DefaultAzureCredentialBuilder managedIdentityClientId(String clientId)
      Specifies the client ID of user assigned or system assigned identity, when this credential is running in an environment with managed identities. If unset, the value in the AZURE_CLIENT_ID environment variable will be used. If neither is set, the default value is null and will only work with system assigned managed identities and not user assigned managed identities. Only one of managedIdentityClientId and managedIdentityResourceId can be specified.
      Parameters:
      clientId - the client ID
      Returns:
      the DefaultAzureCredentialBuilder itself
    • workloadIdentityClientId

      public DefaultAzureCredentialBuilder workloadIdentityClientId(String clientId)
      Specifies the client ID of Microsoft Entra app to be used for AKS workload identity authentication. if unset, managedIdentityClientId(String) will be used. If both values are unset, the value in the AZURE_CLIENT_ID environment variable will be used. If none are set, the default value is null and Workload Identity authentication will not be attempted.
      Parameters:
      clientId - the client ID
      Returns:
      the DefaultAzureCredentialBuilder itself
    • managedIdentityResourceId

      public DefaultAzureCredentialBuilder managedIdentityResourceId(String resourceId)
      Specifies the resource ID of user assigned or system assigned identity, when this credential is running in an environment with managed identities. If unset, the value in the AZURE_CLIENT_ID environment variable will be used. If neither is set, the default value is null and will only work with system assigned managed identities and not user assigned managed identities. Only one of managedIdentityResourceId and managedIdentityClientId can be specified.
      Parameters:
      resourceId - the resource ID
      Returns:
      the DefaultAzureCredentialBuilder itself
    • executorService

      public DefaultAzureCredentialBuilder executorService(ExecutorService executorService)
      Specifies the ExecutorService to be used to execute the authentication requests. Developer is responsible for maintaining the lifecycle of the ExecutorService.

      If this is not configured, the common fork join pool will be used which is also shared with other application tasks. If the common pool is heavily used for other tasks, authentication requests might starve and setting up this executor service should be considered.

      The executor service and can be safely shutdown if the TokenCredential is no longer being used by the Azure SDK clients and should be shutdown before the application exits.

      Parameters:
      executorService - the executor service to use for executing authentication requests.
      Returns:
      An updated instance of this builder with the executor service set as specified.
    • additionallyAllowedTenants

      public DefaultAzureCredentialBuilder additionallyAllowedTenants(String... additionallyAllowedTenants)
      For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application is installed.
      Parameters:
      additionallyAllowedTenants - the additionally allowed tenants.
      Returns:
      An updated instance of this builder with the tenant id set as specified.
    • additionallyAllowedTenants

      public DefaultAzureCredentialBuilder additionallyAllowedTenants(List<String> additionallyAllowedTenants)
      For multi-tenant applications, specifies additional tenants for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application is installed.
      Parameters:
      additionallyAllowedTenants - the additionally allowed tenants.
      Returns:
      An updated instance of this builder with the tenant id set as specified.
    • credentialProcessTimeout

      public DefaultAzureCredentialBuilder credentialProcessTimeout(Duration credentialProcessTimeout)
      Specifies a Duration timeout for developer credentials (such as Azure CLI) that rely on separate process invocations.
      Parameters:
      credentialProcessTimeout - The Duration to wait.
      Returns:
      An updated instance of this builder with the timeout specified.
    • disableInstanceDiscovery

      public DefaultAzureCredentialBuilder disableInstanceDiscovery()
      Disables the setting which determines whether or not instance discovery is performed when attempting to authenticate. This will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached, such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By utilizing this API, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy.
      Returns:
      An updated instance of this builder with instance discovery disabled.
    • build

      public DefaultAzureCredential build()
      Creates new DefaultAzureCredential with the configured options set.
      Returns:
      a DefaultAzureCredential with the current configurations.
      Throws:
      IllegalStateException - if clientId and resourceId are both set.