azure.identity.aio package¶
Credentials for asynchronous Azure SDK clients.
-
class
azure.identity.aio.
AuthorizationCodeCredential
(tenant_id: str, client_id: str, authorization_code: str, redirect_uri: str, **kwargs: Any)[source]¶ Authenticates by redeeming an authorization code previously obtained from Azure Active Directory.
See Azure Active Directory documentation for more information about the authentication flow.
- Parameters
tenant_id (str) – ID of the application’s Azure Active Directory tenant. Also called its “directory” ID.
client_id (str) – the application’s client ID
authorization_code (str) – the authorization code from the user’s log-in
redirect_uri (str) – The application’s redirect URI. Must match the URI used to request the authorization code.
- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example “login.microsoftonline.com”, the authority for Azure Public Cloud (which is the default).
AzureAuthorityHosts
defines authorities for other clouds.client_secret (str) – One of the application’s client secrets. Required only for web apps and web APIs.
-
async
get_token
(*scopes: str, **kwargs: Any) → AccessToken[source]¶ Request an access token for scopes.
This method is called automatically by Azure SDK clients.
The first time this method is called, the credential will redeem its authorization code. On subsequent calls the credential will return a cached access token or redeem a refresh token, if it acquired a refresh token upon redeeming the authorization code.
- Parameters
scopes (str) – desired scopes for the access token. This method requires at least one scope.
- Keyword Arguments
tenant_id (str) – optional tenant to include in the token request.
- Return type
- Raises
ClientAuthenticationError – authentication failed. The error’s
message
attribute gives a reason. Any error response from Azure Active Directory is available as the error’sresponse
attribute.
-
class
azure.identity.aio.
AzureCliCredential
[source]¶ Authenticates by requesting a token from the Azure CLI.
This requires previously logging in to Azure via “az login”, and will use the CLI’s currently logged in identity.
-
async
get_token
(*scopes: str, **kwargs: Any) → AccessToken[source]¶ Request an access token for scopes.
This method is called automatically by Azure SDK clients. Applications calling this method directly must also handle token caching because this credential doesn’t cache the tokens it acquires.
- Parameters
scopes (str) – desired scope for the access token. This credential allows only one scope per request.
- Keyword Arguments
tenant_id (str) – optional tenant to include in the token request.
- Return type
- Raises
CredentialUnavailableError – the credential was unable to invoke the Azure CLI.
ClientAuthenticationError – the credential invoked the Azure CLI but didn’t receive an access token.
-
async
-
class
azure.identity.aio.
AzurePowerShellCredential
[source]¶ Authenticates by requesting a token from Azure PowerShell.
This requires previously logging in to Azure via “Connect-AzAccount”, and will use the currently logged in identity.
-
async
get_token
(*scopes: str, **kwargs: Any) → AccessToken[source]¶ Request an access token for scopes.
This method is called automatically by Azure SDK clients. Applications calling this method directly must also handle token caching because this credential doesn’t cache the tokens it acquires.
- Parameters
scopes (str) – desired scope for the access token. This credential allows only one scope per request.
- Keyword Arguments
tenant_id (str) – optional tenant to include in the token request.
- Return type
- Raises
CredentialUnavailableError – the credential was unable to invoke Azure PowerShell, or no account is authenticated
ClientAuthenticationError – the credential invoked Azure PowerShell but didn’t receive an access token
-
async
-
class
azure.identity.aio.
CertificateCredential
(tenant_id: str, client_id: str, certificate_path: Optional[str] = None, **kwargs: Any)[source]¶ Authenticates as a service principal using a certificate.
The certificate must have an RSA private key, because this credential signs assertions using RS256. See Azure Active Directory documentation for more information on configuring certificate authentication.
- Parameters
- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example ‘login.microsoftonline.com’, the authority for Azure Public Cloud (which is the default).
AzureAuthorityHosts
defines authorities for other clouds.certificate_data (bytes) – the bytes of a certificate in PEM format, including the private key
password (str or bytes) – The certificate’s password. If a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass appropriately encoded bytes instead.
cache_persistence_options (TokenCachePersistenceOptions) – configuration for persistent token caching. If unspecified, the credential will cache tokens in memory.
-
async
get_token
(*scopes: str, **kwargs: Any) → AccessToken¶ Request an access token for scopes.
This method is called automatically by Azure SDK clients.
- Parameters
scopes (str) – desired scopes for the access token. This method requires at least one scope.
- Keyword Arguments
tenant_id (str) – optional tenant to include in the token request.
- Return type
- Raises
CredentialUnavailableError – the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError – authentication failed. The error’s
message
attribute gives a reason.
-
class
azure.identity.aio.
ChainedTokenCredential
(*credentials: AsyncTokenCredential)[source]¶ A sequence of credentials that is itself a credential.
Its
get_token()
method callsget_token
on each credential in the sequence, in order, returning the first valid token received.- Parameters
credentials (
azure.core.credentials.AsyncTokenCredential
) – credential instances to form the chain
-
async
get_token
(*scopes: str, **kwargs: Any) → AccessToken[source]¶ Asynchronously request a token from each credential, in order, returning the first token received.
If no credential provides a token, raises
azure.core.exceptions.ClientAuthenticationError
with an error message from each credential.This method is called automatically by Azure SDK clients.
- Parameters
scopes (str) – desired scopes for the access token. This method requires at least one scope.
- Raises
ClientAuthenticationError – no credential in the chain provided a token
-
class
azure.identity.aio.
ClientAssertionCredential
(tenant_id: str, client_id: str, func: Callable[], str], **kwargs: Any)[source]¶ Authenticates a service principal with a JWT assertion.
This credential is for advanced scenarios.
ClientCertificateCredential
has a more convenient API for the most common assertion scenario, authenticating a service principal with a certificate.- Parameters
- Keyword Arguments
authority (str) – authority of an Azure Active Directory endpoint, for example “login.microsoftonline.com”, the authority for Azure Public Cloud (which is the default).
AzureAuthorityHosts
defines authorities for other clouds.
-
async
get_token
(*scopes: str, **kwargs: Any) → AccessToken¶ Request an access token for scopes.
This method is called automatically by Azure SDK clients.
- Parameters
scopes (str) – desired scopes for the access token. This method requires at least one scope.
- Keyword Arguments
tenant_id (str) – optional tenant to include in the token request.
- Return type
- Raises
CredentialUnavailableError – the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError – authentication failed. The error’s
message
attribute gives a reason.
-
class
azure.identity.aio.
ClientSecretCredential
(tenant_id: str, client_id: str, client_secret: str, **kwargs: Any)[source]¶ Authenticates as a service principal using a client secret.
- Parameters
- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example ‘login.microsoftonline.com’, the authority for Azure Public Cloud (which is the default).
AzureAuthorityHosts
defines authorities for other clouds.cache_persistence_options (TokenCachePersistenceOptions) – configuration for persistent token caching. If unspecified, the credential will cache tokens in memory.
-
async
get_token
(*scopes: str, **kwargs: Any) → AccessToken¶ Request an access token for scopes.
This method is called automatically by Azure SDK clients.
- Parameters
scopes (str) – desired scopes for the access token. This method requires at least one scope.
- Keyword Arguments
tenant_id (str) – optional tenant to include in the token request.
- Return type
- Raises
CredentialUnavailableError – the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError – authentication failed. The error’s
message
attribute gives a reason.
-
class
azure.identity.aio.
DefaultAzureCredential
(**kwargs: Any)[source]¶ A default credential capable of handling most Azure SDK authentication scenarios.
The identity it uses depends on the environment. When an access token is needed, it requests one using these identities in turn, stopping when one provides a token:
A service principal configured by environment variables. See
EnvironmentCredential
for more details.An Azure managed identity. See
ManagedIdentityCredential
for more details.On Windows only: a user who has signed in with a Microsoft application, such as Visual Studio. If multiple identities are in the cache, then the value of the environment variable
AZURE_USERNAME
is used to select which identity to use. SeeSharedTokenCacheCredential
for more details.The user currently signed in to Visual Studio Code.
The identity currently logged in to the Azure CLI.
The identity currently logged in to Azure PowerShell.
This default behavior is configurable with keyword arguments.
- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example ‘login.microsoftonline.com’, the authority for Azure Public Cloud (which is the default).
AzureAuthorityHosts
defines authorities for other clouds. Managed identities ignore this because they reside in a single cloud.exclude_cli_credential (bool) – Whether to exclude the Azure CLI from the credential. Defaults to False.
exclude_environment_credential (bool) – Whether to exclude a service principal configured by environment variables from the credential. Defaults to False.
exclude_powershell_credential (bool) – Whether to exclude Azure PowerShell. Defaults to False.
exclude_visual_studio_code_credential (bool) – Whether to exclude stored credential from VS Code. Defaults to False.
exclude_managed_identity_credential (bool) – Whether to exclude managed identity from the credential. Defaults to False.
exclude_shared_token_cache_credential (bool) – Whether to exclude the shared token cache. Defaults to False.
managed_identity_client_id (str) – The client ID of a user-assigned managed identity. Defaults to the value of the environment variable AZURE_CLIENT_ID, if any. If not specified, a system-assigned identity will be used.
shared_cache_username (str) – Preferred username for
SharedTokenCacheCredential
. Defaults to the value of environment variable AZURE_USERNAME, if any.shared_cache_tenant_id (str) – Preferred tenant for
SharedTokenCacheCredential
. Defaults to the value of environment variable AZURE_TENANT_ID, if any.visual_studio_code_tenant_id (str) – Tenant ID to use when authenticating with
VisualStudioCodeCredential
. Defaults to the “Azure: Tenant” setting in VS Code’s user settings or, when that setting has no value, the “organizations” tenant, which supports only Azure Active Directory work or school accounts.
-
async
close
()¶ Close the transport sessions of all credentials in the chain.
-
async
get_token
(*scopes: str, **kwargs: Any) → AccessToken[source]¶ Asynchronously request an access token for scopes.
This method is called automatically by Azure SDK clients.
- Parameters
scopes (str) – desired scopes for the access token. This method requires at least one scope.
- Keyword Arguments
tenant_id (str) – optional tenant to include in the token request.
- Return type
- Raises
ClientAuthenticationError – authentication failed. The exception has a message attribute listing each authentication attempt and its error message.
-
class
azure.identity.aio.
EnvironmentCredential
(**kwargs: Any)[source]¶ A credential configured by environment variables.
This credential is capable of authenticating as a service principal using a client secret or a certificate, or as a user with a username and password. Configuration is attempted in this order, using these environment variables:
- Service principal with secret:
AZURE_TENANT_ID: ID of the service principal’s tenant. Also called its ‘directory’ ID.
AZURE_CLIENT_ID: the service principal’s client ID
AZURE_CLIENT_SECRET: one of the service principal’s client secrets
AZURE_AUTHORITY_HOST: authority of an Azure Active Directory endpoint, for example “login.microsoftonline.com”, the authority for Azure Public Cloud, which is the default when no value is given.
- Service principal with certificate:
AZURE_TENANT_ID: ID of the service principal’s tenant. Also called its ‘directory’ ID.
AZURE_CLIENT_ID: the service principal’s client ID
AZURE_CLIENT_CERTIFICATE_PATH: path to a PEM or PKCS12 certificate file including the private key. The certificate must not be password-protected.
AZURE_AUTHORITY_HOST: authority of an Azure Active Directory endpoint, for example “login.microsoftonline.com”, the authority for Azure Public Cloud, which is the default when no value is given.
-
async
get_token
(*scopes: str, **kwargs: Any) → AccessToken[source]¶ Asynchronously request an access token for scopes.
This method is called automatically by Azure SDK clients.
- Parameters
scopes (str) – desired scopes for the access token. This method requires at least one scope.
- Keyword Arguments
tenant_id (str) – optional tenant to include in the token request.
- Return type
- Raises
CredentialUnavailableError – environment variable configuration is incomplete
-
class
azure.identity.aio.
ManagedIdentityCredential
(**kwargs: Any)[source]¶ Authenticates with an Azure managed identity in any hosting environment which supports managed identities.
This credential defaults to using a system-assigned identity. To configure a user-assigned identity, use one of the keyword arguments. See Azure Active Directory documentation for more information about configuring managed identity for applications.
- Keyword Arguments
client_id (str) – a user-assigned identity’s client ID or, when using Pod Identity, the client ID of an Azure AD app registration. This argument is supported in all hosting environments.
identity_config (Mapping[str, str]) – a mapping
{parameter_name: value}
specifying a user-assigned identity by its object or resource ID, for example{"object_id": "..."}
. Check the documentation for your hosting environment to learn what values it expects.
-
async
get_token
(*scopes: str, **kwargs: Any) → AccessToken[source]¶ Asynchronously request an access token for scopes.
This method is called automatically by Azure SDK clients.
- Parameters
scopes (str) – desired scope for the access token. This credential allows only one scope per request.
- Return type
- Raises
CredentialUnavailableError – managed identity isn’t available in the hosting environment
-
class
azure.identity.aio.
OnBehalfOfCredential
(tenant_id: str, client_id: str, *, client_certificate: bytes = None, client_secret: str = None, user_assertion: str, **kwargs: Any)[source]¶ Authenticates a service principal via the on-behalf-of flow.
This flow is typically used by middle-tier services that authorize requests to other services with a delegated user identity. Because this is not an interactive authentication flow, an application using it must have admin consent for any delegated permissions before requesting tokens for them. See Azure Active Directory documentation for a more detailed description of the on-behalf-of flow.
- Parameters
- Keyword Arguments
client_secret (str) – Optional. A client secret to authenticate the service principal. Either client_secret or client_certificate must be provided.
client_certificate (bytes) – Optional. The bytes of a certificate in PEM or PKCS12 format including the private key to authenticate the service principal. Either client_secret or client_certificate must be provided.
user_assertion (str) – Required. The access token the credential will use as the user assertion when requesting on-behalf-of tokens
authority (str) – Authority of an Azure Active Directory endpoint, for example “login.microsoftonline.com”, the authority for Azure Public Cloud (which is the default).
AzureAuthorityHosts
defines authorities for other clouds.password (str or bytes) – a certificate password. Used only when client_certificate is provided. If this value is a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass appropriately encoded bytes instead.
-
async
get_token
(*scopes: str, **kwargs: Any) → AccessToken¶ Request an access token for scopes.
This method is called automatically by Azure SDK clients.
- Parameters
scopes (str) – desired scopes for the access token. This method requires at least one scope.
- Keyword Arguments
tenant_id (str) – optional tenant to include in the token request.
- Return type
- Raises
CredentialUnavailableError – the credential is unable to attempt authentication because it lacks required data, state, or platform support
ClientAuthenticationError – authentication failed. The error’s
message
attribute gives a reason.
Authenticates using tokens in the local cache shared between Microsoft applications.
- Parameters
username (str) – Username (typically an email address) of the user to authenticate as. This is required because the local cache may contain tokens for multiple identities.
- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example ‘login.microsoftonline.com’, the authority for Azure Public Cloud (which is the default).
AzureAuthorityHosts
defines authorities for other clouds.tenant_id (str) – an Azure Active Directory tenant ID. Used to select an account when the cache contains tokens for multiple identities.
cache_persistence_options (TokenCachePersistenceOptions) – configuration for persistent token caching. If not provided, the credential will use the persistent cache shared by Microsoft development applications
Close the credential’s transport session.
Get an access token for scopes from the shared cache.
If no access token is cached, attempt to acquire one using a cached refresh token.
This method is called automatically by Azure SDK clients.
- Parameters
scopes (str) – desired scopes for the access token. This method requires at least one scope.
- Keyword Arguments
tenant_id (str) – optional tenant to include in the token request.
- Return type
- Raises
CredentialUnavailableError – the cache is unavailable or contains insufficient user information
ClientAuthenticationError – authentication failed. The error’s
message
attribute gives a reason. Any error response from Azure Active Directory is available as the error’sresponse
attribute.
Whether the shared token cache is supported on the current platform.
- Return type
-
class
azure.identity.aio.
VisualStudioCodeCredential
(**kwargs: Any)[source]¶ Authenticates as the Azure user signed in to Visual Studio Code.
- Keyword Arguments
authority (str) – authority of an Azure Active Directory endpoint, for example “login.microsoftonline.com”. This argument is required for a custom cloud and usually unnecessary otherwise. Defaults to the authority matching the “Azure: Cloud” setting in VS Code’s user settings or, when that setting has no value, the authority for Azure Public Cloud.
tenant_id (str) – ID of the tenant the credential should authenticate in. Defaults to the “Azure: Tenant” setting in VS Code’s user settings or, when that setting has no value, the “organizations” tenant, which supports only Azure Active Directory work or school accounts.
-
async
get_token
(*scopes: str, **kwargs: Any) → AccessToken[source]¶ Request an access token for scopes as the user currently signed in to Visual Studio Code.
This method is called automatically by Azure SDK clients.
- Parameters
scopes (str) – desired scopes for the access token. This method requires at least one scope.
- Keyword Arguments
tenant_id (str) – optional tenant to include in the token request.
- Return type
- Raises
CredentialUnavailableError – the credential cannot retrieve user details from Visual Studio Code