Movatterモバイル変換

[0]ホーム
URL:

Skip to main contentSkip to in-page navigation

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Download Microsoft EdgeMore info about Internet Explorer and Microsoft Edge
Table of contentsExit focus mode

DefaultAzureCredential Class

A credential capable of handling most Azure SDK authentication scenarios. For more information, SeeUsage guidance for DefaultAzureCredential.

The identity it uses depends on the environment. When an access token is needed, it requests one using theseidentities in turn, stopping when one provides a token:

  1. A service principal configured by environment variables. SeeEnvironmentCredential for more details.

  2. WorkloadIdentityCredential if environment variable configuration is set by the Azure workload identity webhook.

  3. An Azure managed identity. SeeManagedIdentityCredential for more details.

  4. On Windows only: a user who has signed in with a Microsoft application, such as Visual Studio. If multiple identities are in the cache, then the value of the environment variableAZURE_USERNAME is used to select which identity to use. SeeSharedTokenCacheCredential for more details.

  5. The identity currently logged in to the Azure CLI.

  6. The identity currently logged in to Azure PowerShell.

  7. The identity currently logged in to the Azure Developer CLI.

This default behavior is configurable with keyword arguments.

Constructor

DefaultAzureCredential(**kwargs: Any)

Keyword-Only Parameters

NameDescription
authority

Authority of a Microsoft Entra endpoint, for example 'login.microsoftonline.com',the authority for Azure Public Cloud (which is the default).AzureAuthorityHostsdefines authorities for other clouds. Managed identities ignore this because they reside in a single cloud.

exclude_workload_identity_credential

Whether to exclude the workload identity from the credential.Defaults toFalse.

exclude_developer_cli_credential

Whether to exclude the Azure Developer CLIfrom the credential. Defaults toFalse.

exclude_cli_credential

Whether to exclude the Azure CLI from the credential. Defaults toFalse.

exclude_environment_credential

Whether to exclude a service principal configured by environmentvariables from the credential. Defaults toFalse.

exclude_managed_identity_credential

Whether to exclude managed identity from the credential.Defaults toFalse.

exclude_powershell_credential

Whether to exclude Azure PowerShell. Defaults toFalse.

exclude_visual_studio_code_credential

Whether to exclude stored credential from VS Code.Defaults toTrue.

exclude_shared_token_cache_credential

Whether to exclude the shared token cache. Defaults toFalse.

exclude_interactive_browser_credential

Whether to exclude interactive browser authentication (seeInteractiveBrowserCredential). Defaults toTrue.

interactive_browser_tenant_id

Tenant ID to use when authenticating a user throughInteractiveBrowserCredential. Defaults to the value of environment variableAZURE_TENANT_ID, if any. If unspecified, users will authenticate in their home tenants.

managed_identity_client_id

The client ID of a user-assigned managed identity. Defaults to the valueof the environment variable AZURE_CLIENT_ID, if any. If not specified, a system-assigned identity will be used.

workload_identity_client_id

The client ID of an identity assigned to the pod. Defaults to the valueof the environment variable AZURE_CLIENT_ID, if any. If not specified, the pod's default identity will be used.

workload_identity_tenant_id

Preferred tenant forWorkloadIdentityCredential.Defaults to the value of environment variable AZURE_TENANT_ID, if any.

interactive_browser_client_id

The client ID to be used in interactive browser credential. If notspecified, users will authenticate to an Azure development application.

shared_cache_username

Preferred username forSharedTokenCacheCredential.Defaults to the value of environment variable AZURE_USERNAME, if any.

shared_cache_tenant_id

Preferred tenant forSharedTokenCacheCredential.Defaults to the value of environment variable AZURE_TENANT_ID, if any.

visual_studio_code_tenant_id

Tenant ID to use when authenticating withVisualStudioCodeCredential. Defaults to the "Azure: Tenant" setting in VS Code's usersettings or, when that setting has no value, the "organizations" tenant, which supports only Azure ActiveDirectory work or school accounts.

process_timeout

The timeout in seconds to use for developer credentials that runsubprocesses (e.g. AzureCliCredential, AzurePowerShellCredential). Defaults to10 seconds.

Examples

Create a DefaultAzureCredential.

   from azure.identity import DefaultAzureCredential   credential = DefaultAzureCredential()

Methods

close

Close the transport session of each credential in the chain.

get_token

Request an access token forscopes.

This method is called automatically by Azure SDK clients.

get_token_info

Request an access token forscopes.

This is an alternative toget_token to enable certain scenarios that require additional propertieson the token. This method is called automatically by Azure SDK clients.

close

Close the transport session of each credential in the chain.

close() -> None

get_token

Request an access token forscopes.

This method is called automatically by Azure SDK clients.

get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, **kwargs: Any) -> AccessToken

Parameters

NameDescription
scopes
Required

desired scopes for the access token. This method requires at least one scope.For more information about scopes, seehttps://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword-Only Parameters

NameDescription
claims

additional claims required in the token, such as those returned in a resource provider'sclaims challenge following an authorization failure.

Default value: None
tenant_id

optional tenant to include in the token request.

Default value: None

Returns

TypeDescription

An access token with the desired scopes.

Exceptions

TypeDescription

authentication failed. The exception has amessage attribute listing each authentication attempt and its error message.

get_token_info

Request an access token forscopes.

This is an alternative toget_token to enable certain scenarios that require additional propertieson the token. This method is called automatically by Azure SDK clients.

get_token_info(*scopes: str, options: TokenRequestOptions | None = None) -> AccessTokenInfo

Parameters

NameDescription
scopes
Required

desired scopes for the access token. This method requires at least one scope.For more information about scopes, seehttps://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword-Only Parameters

NameDescription
options

A dictionary of options for the token request. Unknown options will be ignored. Optional.

Default value: None

Returns

TypeDescription

An AccessTokenInfo instance containing information about the token.

Exceptions

TypeDescription

authentication failed. The exception has amessage attribute listing each authentication attempt and its error message.

Collaborate with us on GitHub
The source for this content can be found on GitHub, where you can also create and review issues and pull requests. For more information, seeour contributor guide.

Feedback

Was this page helpful?

YesNo

In this article

Was this page helpful?

YesNo