The newest Azure SDK libraries (the "client" and "management" libraries
listed here)
use credentials from azure-identity to authenticate requests. Older versions
of these libraries typically used credentials from azure-common. Credential
types from these two libraries have different APIs, causing clients to raise
AttributeError when given a credential from the wrong library. For example, a
client expecting an azure-identity credential will raise an error like
'ServicePrincipalCredentials' object has no attribute 'get_token' when given a
credential from azure-common. A client expecting an azure-common credential
will raise an error like
'ClientSecretCredential' object has no attribute 'signed_session' when given
an azure-identity credential.
This document shows common authentication code using azure-common, and its
equivalent using azure-identity.
azure-common uses ServicePrincipalCredentials to authenticate a service principal:
from azure.common.credentials import ServicePrincipalCredentials
credential = ServicePrincipalCredentials(client_id, client_secret, tenant=tenant_id)azure-identity uses ClientSecretCredential :
from azure.identity import ClientSecretCredential
credential = ClientSecretCredential(tenant_id, client_id, client_secret)azure-common provides the
get_client_from_cli_profile function to
integrate with the Azure CLI for authentication. This code works with older
versions of azure-mgmt-resource such as 10.0.0:
from azure.common.client_factory import get_client_from_cli_profile
from azure.mgmt.resource import SubscriptionClient
subscription_client = get_client_from_cli_profile(SubscriptionClient)azure-identity integrates with the Azure CLI through its
AzureCliCredential. This code works with newer versions of
azure-mgmt-resource, starting with 15.0.0:
from azure.identity import AzureCliCredential
from azure.mgmt.resource import SubscriptionClient
credential = AzureCliCredential()
subscription_client = SubscriptionClient(credential)To encourage best security practices, azure-identity does not support JSON- and file-based authentication in the same
way as azure-common. azure-common provided factory methods like get_client_from_json_dict and
get_client_from_auth_file that are no longer available in azure-identity.
In azure-common you could provide credentials in a JSON dictionary, or from a JSON file:
from azure.common.client_factory import get_client_from_json_dict, get_client_from_auth_file
from azure.mgmt.keyvault import KeyVaultManagementClient
# Provide credentials in JSON:
json_dict = {
"clientId": "...",
"clientSecret": "...",
"subscriptionId": "...",
"tenantId": "...",
"activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
"resourceManagerEndpointUrl": "https://management.azure.com"
}
client = get_client_from_json_dict(KeyVaultManagementClient, json_dict)
# Or, provide credentials from a JSON file:
client = get_client_from_auth_file(KeyVaultManagementClient, "credentials.json")If it's not possible to immediately migrate from file-based authentication, you can still use azure-identity. With a
JSON file containing your credentials, you can use json.load to authenticate a service principal with a
ClientSecretCredential:
import json
from azure.identity import ClientSecretCredential
from azure.mgmt.keyvault import KeyVaultManagementClient
with open("credentials.json") as json_file:
json_dict = json.load(json_file)
credential = ClientSecretCredential(
tenant_id=json_dict["tenantId"],
client_id=json_dict["clientId"],
client_secret=json_dict["clientSecret"],
authority=json_dict["activeDirectoryEndpointUrl"]
)
client = KeyVaultManagementClient(
credential,
json_dict["subscriptionId"],
base_url=json_dict["resourceManagerEndpointUrl"],
credential_scopes=["{}/.default".format(json_dict["resourceManagerEndpointUrl"])]
)If storing credentials in a file, be sure to protect access to this file. Make certain that it's excluded by version
control -- for example, by adding the credential file name to your project's .gitignore file.
The global documentation for authenticating Python apps on Azure is available here.
