Azure Identity SDK for Python
Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).
Installation
CODEBLOCK0
Environment Variables
CODEBLOCK1
DefaultAzureCredential
The recommended credential for most scenarios. Tries multiple authentication methods in order:
CODEBLOCK2
Credential Chain Order
| Order | Credential | Environment |
|---|
| 1 | EnvironmentCredential | CI/CD, containers |
| 2 |
WorkloadIdentityCredential | Kubernetes |
| 3 | ManagedIdentityCredential | Azure VMs, App Service, Functions |
| 4 | SharedTokenCacheCredential | Windows only |
| 5 | VisualStudioCodeCredential | VS Code with Azure extension |
| 6 | AzureCliCredential |
az login |
| 7 | AzurePowerShellCredential |
Connect-AzAccount |
| 8 | AzureDeveloperCliCredential |
azd auth login |
Customizing DefaultAzureCredential
CODEBLOCK3
Specific Credential Types
ManagedIdentityCredential
For Azure-hosted resources (VMs, App Service, Functions, AKS):
CODEBLOCK4
ClientSecretCredential
For service principal with secret:
CODEBLOCK5
AzureCliCredential
Uses the account from az login:
CODEBLOCK6
ChainedTokenCredential
Custom credential chain:
CODEBLOCK7
Credential Types Table
| Credential | Use Case | Auth Method |
|---|
| INLINECODE4 | Most scenarios | Auto-detect |
| INLINECODE5 |
Azure-hosted apps | Managed Identity |
|
ClientSecretCredential | Service principal | Client secret |
|
ClientCertificateCredential | Service principal | Certificate |
|
AzureCliCredential | Local development | Azure CLI |
|
AzureDeveloperCliCredential | Local development | Azure Developer CLI |
|
InteractiveBrowserCredential | User sign-in | Browser OAuth |
|
DeviceCodeCredential | Headless/SSH | Device code flow |
Getting Tokens Directly
CODEBLOCK8
Async Client
CODEBLOCK9
Best Practices
- 1. Use DefaultAzureCredential for code that runs locally and in Azure
- Never hardcode credentials — use environment variables or managed identity
- Prefer managed identity in production Azure deployments
- Use ChainedTokenCredential when you need a custom credential order
- Close async credentials explicitly or use context managers
- Set AZURECLIENTID for user-assigned managed identities
- Exclude unused credentials to speed up authentication
Azure Identity SDK for Python
使用 Microsoft Entra ID(原 Azure AD)进行 Azure SDK 客户端身份验证的身份验证库。
安装
bash
pip install azure-identity
环境变量
bash
服务主体(用于生产/CI)
AZURE
TENANTID=<你的租户ID>
AZURE
CLIENTID=<你的客户端ID>
AZURE
CLIENTSECRET=<你的客户端密钥>
用户分配托管标识(可选)
AZURE
CLIENTID=<托管标识客户端ID>
DefaultAzureCredential
大多数场景下的推荐凭据。按顺序尝试多种身份验证方法:
python
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient
在本地开发和生成环境中均可使用,无需修改代码
credential = DefaultAzureCredential()
client = BlobServiceClient(
account_url=https://<账户>.blob.core.windows.net,
credential=credential
)
凭据链顺序
| 顺序 | 凭据 | 环境 |
|---|
| 1 | EnvironmentCredential | CI/CD、容器 |
| 2 |
WorkloadIdentityCredential | Kubernetes |
| 3 | ManagedIdentityCredential | Azure VM、应用服务、函数 |
| 4 | SharedTokenCacheCredential | 仅限 Windows |
| 5 | VisualStudioCodeCredential | 安装了 Azure 扩展的 VS Code |
| 6 | AzureCliCredential | az login |
| 7 | AzurePowerShellCredential | Connect-AzAccount |
| 8 | AzureDeveloperCliCredential | azd auth login |
自定义 DefaultAzureCredential
python
排除不需要的凭据
credential = DefaultAzureCredential(
exclude
environmentcredential=True,
exclude
sharedtoken
cachecredential=True,
managed
identityclient_id=<用户分配MI客户端ID> # 用于用户分配托管标识
)
启用交互式浏览器(默认禁用)
credential = DefaultAzureCredential(
exclude
interactivebrowser_credential=False
)
特定凭据类型
ManagedIdentityCredential
用于 Azure 托管资源(VM、应用服务、函数、AKS):
python
from azure.identity import ManagedIdentityCredential
系统分配托管标识
credential = ManagedIdentityCredential()
用户分配托管标识
credential = ManagedIdentityCredential(
client_id=<用户分配MI客户端ID>
)
ClientSecretCredential
用于带密钥的服务主体:
python
from azure.identity import ClientSecretCredential
credential = ClientSecretCredential(
tenantid=os.environ[AZURETENANT_ID],
clientid=os.environ[AZURECLIENT_ID],
clientsecret=os.environ[AZURECLIENT_SECRET]
)
AzureCliCredential
使用 az login 的账户:
python
from azure.identity import AzureCliCredential
credential = AzureCliCredential()
ChainedTokenCredential
自定义凭据链:
python
from azure.identity import (
ChainedTokenCredential,
ManagedIdentityCredential,
AzureCliCredential
)
优先尝试托管标识,失败后回退到 CLI
credential = ChainedTokenCredential(
ManagedIdentityCredential(client_id=<用户分配MI客户端ID>),
AzureCliCredential()
)
凭据类型表
| 凭据 | 使用场景 | 认证方式 |
|---|
| DefaultAzureCredential | 大多数场景 | 自动检测 |
| ManagedIdentityCredential |
Azure 托管应用 | 托管标识 |
| ClientSecretCredential | 服务主体 | 客户端密钥 |
| ClientCertificateCredential | 服务主体 | 证书 |
| AzureCliCredential | 本地开发 | Azure CLI |
| AzureDeveloperCliCredential | 本地开发 | Azure Developer CLI |
| InteractiveBrowserCredential | 用户登录 | 浏览器 OAuth |
| DeviceCodeCredential | 无头/SSH | 设备代码流 |
直接获取令牌
python
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
获取特定作用域的令牌
token = credential.get_token(https://management.azure.com/.default)
print(f令牌过期时间: {token.expires_on})
用于 Azure Database for PostgreSQL
token = credential.get_token(https://ossrdbms-aad.database.windows.net/.default)
异步客户端
python
from azure.identity.aio import DefaultAzureCredential
from azure.storage.blob.aio import BlobServiceClient
async def main():
credential = DefaultAzureCredential()
async with BlobServiceClient(
account_url=https://<账户>.blob.core.windows.net,
credential=credential
) as client:
# ... 异步操作
pass
await credential.close()
最佳实践
- 1. 使用 DefaultAzureCredential 用于在本地和 Azure 中运行的代码
- 切勿硬编码凭据 — 使用环境变量或托管标识
- 在生产 Azure 部署中优先使用托管标识
- 需要自定义凭据顺序时使用 ChainedTokenCredential
- 显式关闭异步凭据 或使用上下文管理器
- 为用户分配托管标识设置 AZURECLIENTID
- 排除未使用的凭据 以加快身份验证速度
