azure.identity package¶
Subpackages¶
Module contents¶
-
class
azure.identity.
AuthorizationCodeCredential
(tenant_id, client_id, authorization_code, redirect_uri, **kwargs)[source]¶ Authenticates by redeeming an authorization code previously obtained from Azure Active Directory.
See https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow for more information about the authentication flow.
- Parameters
tenant_id (str) – ID of the application’s Azure Active Directory tenant. Also called its ‘directory’ ID.
client_id (str) – the application’s client ID
authorization_code (str) – the authorization code from the user’s log-in
redirect_uri (str) – The application’s redirect URI. Must match the URI used to request the authorization code.
- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example ‘login.microsoftonline.com’, the authority for Azure Public Cloud (which is the default).
KnownAuthorities
defines authorities for other clouds.client_secret (str) – One of the application’s client secrets. Required only for web apps and web APIs.
-
get_token
(*scopes, **kwargs)[source]¶ Request an access token for
scopes
.The first time this method is called, the credential will redeem its authorization code. On subsequent calls the credential will return a cached access token or redeem a refresh token, if it acquired a refresh token upon redeeming the authorization code.
- Parameters
scopes (str) – desired scopes for the access token
- Return type
azure.core.credentials.AccessToken
- Raises
ClientAuthenticationError –
-
class
azure.identity.
CertificateCredential
(tenant_id, client_id, certificate_path, **kwargs)[source]¶ Authenticates as a service principal using a certificate.
- Parameters
- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example ‘login.microsoftonline.com’, the authority for Azure Public Cloud (which is the default).
KnownAuthorities
defines authorities for other clouds.
-
class
azure.identity.
ChainedTokenCredential
(*credentials)[source]¶ A sequence of credentials that is itself a credential.
Its
get_token
method callsget_token
on each credential in the sequence, in order, returning the first valid token received.- Parameters
credentials (
azure.core.credentials.TokenCredential
) – credential instances to form the chain
-
get_token
(*scopes, **kwargs)[source]¶ Request a token from each chained credential, in order, returning the first token received.
If none provides a token, raises
azure.core.exceptions.ClientAuthenticationError
with an error message from each credential.- Parameters
scopes (str) – desired scopes for the token
- Raises
ClientAuthenticationError –
-
class
azure.identity.
ClientSecretCredential
(tenant_id, client_id, client_secret, **kwargs)[source]¶ Authenticates as a service principal using a client ID and client secret.
- Parameters
- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example ‘login.microsoftonline.com’, the authority for Azure Public Cloud (which is the default).
KnownAuthorities
defines authorities for other clouds.
-
class
azure.identity.
DefaultAzureCredential
(**kwargs)[source]¶ A default credential capable of handling most Azure SDK authentication scenarios.
The identity it uses depends on the environment. When an access token is needed, it requests one using these identities in turn, stopping when one provides a token:
A service principal configured by environment variables. See
EnvironmentCredential
for more details.An Azure managed identity. See
ManagedIdentityCredential
for more details.On Windows only: a user who has signed in with a Microsoft application, such as Visual Studio. If multiple identities are in the cache, then the value of the environment variable
AZURE_USERNAME
is used to select which identity to use. SeeSharedTokenCacheCredential
for more details.
- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example ‘login.microsoftonline.com’, the authority for Azure Public Cloud (which is the default).
KnownAuthorities
defines authorities for other clouds. Managed identities ignore this because they reside in a single cloud.
-
get_token
(*scopes, **kwargs)¶ Request a token from each chained credential, in order, returning the first token received.
If none provides a token, raises
azure.core.exceptions.ClientAuthenticationError
with an error message from each credential.- Parameters
scopes (str) – desired scopes for the token
- Raises
ClientAuthenticationError –
-
class
azure.identity.
DeviceCodeCredential
(client_id, **kwargs)[source]¶ Authenticates users through the device code flow.
When
get_token
is called, this credential acquires a verification URL and code from Azure Active Directory. A user must browse to the URL, enter the code, and authenticate with Azure Active Directory. If the user authenticates successfully, the credential receives an access token.This credential doesn’t cache tokens–each
get_token
call begins a new authentication flow.For more information about the device code flow, see Azure Active Directory documentation: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code
- Parameters
client_id (str) – the application’s ID
- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example ‘login.microsoftonline.com’, the authority for Azure Public Cloud (which is the default).
KnownAuthorities
defines authorities for other clouds.tenant_id (str) – an Azure Active Directory tenant ID. Defaults to the ‘organizations’ tenant, which can authenticate work or school accounts. Required for single-tenant applications.
timeout (int) – seconds to wait for the user to authenticate. Defaults to the validity period of the device code as set by Azure Active Directory, which also prevails when
timeout
is longer.prompt_callback (Callable[str, str, datetime]) –
A callback enabling control of how authentication instructions are presented. Must accept arguments (
verification_uri
,user_code
,expires_on
):verification_uri
(str) the URL the user must visituser_code
(str) the code the user must enter thereexpires_on
(datetime.datetime) the UTC time at which the code will expire
If this argument isn’t provided, the credential will print instructions to stdout.
-
class
azure.identity.
EnvironmentCredential
(**kwargs)[source]¶ A credential configured by environment variables.
This credential is capable of authenticating as a service principal using a client secret or a certificate, or as a user with a username and password. Configuration is attempted in this order, using these environment variables:
- Service principal with secret:
AZURE_TENANT_ID: ID of the service principal’s tenant. Also called its ‘directory’ ID.
AZURE_CLIENT_ID: the service principal’s client ID
AZURE_CLIENT_SECRET: one of the service principal’s client secrets
- Service principal with certificate:
AZURE_TENANT_ID: ID of the service principal’s tenant. Also called its ‘directory’ ID.
AZURE_CLIENT_ID: the service principal’s client ID
AZURE_CLIENT_CERTIFICATE_PATH: path to a PEM-encoded certificate file including the private key. The certificate must not be password-protected.
- User with username and password:
AZURE_CLIENT_ID: the application’s client ID
AZURE_USERNAME: a username (usually an email address)
AZURE_PASSWORD: that user’s password
AZURE_TENANT_ID: (optional) ID of the service principal’s tenant. Also called its ‘directory’ ID. If not provided, defaults to the ‘organizations’ tenant, which supports only Azure Active Directory work or school accounts.
-
class
azure.identity.
InteractiveBrowserCredential
(**kwargs)[source]¶ Opens a browser to interactively authenticate a user.
This is an interactive flow:
get_token
opens a browser to a login URL provided by Azure Active Directory, and waits for the user to authenticate there.get_token()
opens a browser to a login URL provided by Azure Active Directory and authenticates a user there with the authorization code flow. Azure Active Directory documentation describes this flow in more detail: https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example ‘login.microsoftonline.com’, the authority for Azure Public Cloud (which is the default).
KnownAuthorities
defines authorities for other clouds.tenant_id (str) – an Azure Active Directory tenant ID. Defaults to the ‘organizations’ tenant, which can authenticate work or school accounts.
client_id (str) – Client ID of the Azure Active Directory application users will sign in to. If unspecified, the Azure CLI’s ID will be used.
timeout (int) – seconds to wait for the user to complete authentication. Defaults to 300 (5 minutes).
-
get_token
(*scopes, **kwargs)[source]¶ Request an access token for scopes.
This will open a browser to a login page and listen on localhost for a request indicating authentication has completed.
- Parameters
scopes (str) – desired scopes for the token
- Return type
azure.core.credentials.AccessToken
- Raises
ClientAuthenticationError –
-
class
azure.identity.
KnownAuthorities
[source]¶ -
AZURE_CHINA
= 'login.chinacloudapi.cn'¶
-
AZURE_GERMANY
= 'login.microsoftonline.de'¶
-
AZURE_GOVERNMENT
= 'login.microsoftonline.us'¶
-
AZURE_PUBLIC_CLOUD
= 'login.microsoftonline.com'¶
-
-
class
azure.identity.
ManagedIdentityCredential
(**kwargs)[source]¶ Authenticates with an Azure managed identity in any hosting environment which supports managed identities.
See the Azure Active Directory documentation for more information about managed identities: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
- Keyword Arguments
client_id (str) – ID of a user-assigned identity. Leave unspecified to use a system-assigned identity.
Authenticates using tokens in the local cache shared between Microsoft applications.
- Parameters
username (str) – Username (typically an email address) of the user to authenticate as. This is required because the local cache may contain tokens for multiple identities.
- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example ‘login.microsoftonline.com’, the authority for Azure Public Cloud (which is the default).
KnownAuthorities
defines authorities for other clouds.
Get an access token for scopes from the shared cache.
If no access token is cached, attempt to acquire one using a cached refresh token.
- Parameters
scopes (str) – desired scopes for the token
- Return type
azure.core.credentials.AccessToken
- Raises
azure.core.exceptions.ClientAuthenticationError
when the cache is unavailable or no access token can be acquired from it
Whether the shared token cache is supported on the current platform.
- Return type
-
class
azure.identity.
UsernamePasswordCredential
(client_id, username, password, **kwargs)[source]¶ Authenticates a user with a username and password.
In general, Microsoft doesn’t recommend this kind of authentication, because it’s less secure than other authentication flows.
Authentication with this credential is not interactive, so it is not compatible with any form of multi-factor authentication or consent prompting. The application must already have consent from the user or a directory admin.
This credential can only authenticate work and school accounts; Microsoft accounts are not supported. See this document for more information about account types: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/sign-up-organization
- Parameters
- Keyword Arguments
authority (str) – Authority of an Azure Active Directory endpoint, for example ‘login.microsoftonline.com’, the authority for Azure Public Cloud (which is the default).
KnownAuthorities
defines authorities for other clouds.tenant_id (str) – tenant ID or a domain associated with a tenant. If not provided, defaults to the ‘organizations’ tenant, which supports only Azure Active Directory work or school accounts.