From 19dc1fdeec023c326e2c7acde40f17909c95b4ae Mon Sep 17 00:00:00 2001 From: Den <53200638+localden@users.noreply.github.com> Date: Tue, 25 Jun 2024 13:49:48 -0700 Subject: [PATCH 01/10] Create managed-identity.md --- .../advanced/managed-identity.md | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 msal-python-conceptual/advanced/managed-identity.md diff --git a/msal-python-conceptual/advanced/managed-identity.md b/msal-python-conceptual/advanced/managed-identity.md new file mode 100644 index 0000000..d6f47eb --- /dev/null +++ b/msal-python-conceptual/advanced/managed-identity.md @@ -0,0 +1,50 @@ +--- +title: Using Managed Identity +description: Learn how to use Managed Identity with Microsoft Authentication Library (MSAL) for Python. +author: localden + +ms.service: msal +ms.subservice: msal-python +ms.topic: conceptual +ms.date: 06/25/2024 +ms.author: ddelimarsky +ms.reviewer: rayluo +--- + +# Using Managed Identity + +[Managed identity](/entra/identity/managed-identities-azure-resources/overview) enables developers to remove the need to store, rotate, and otherwise handle credentials for their applications running in the Microsoft Azure cloud. Microsoft Authentication Library (MSAL) for Python supports using authentication with managed identity on supported Azure workloads. + +>[!NOTE] +>Managed Identity in MSAL Python is supported since version [1.29.0](https://pypi.org/project/msal/1.29.0/) of the [`msal` package](https://pypi.org/project/msal/). + +MSAL Python supports acquiring tokens through the managed identity service when used with applications running inside Azure infrastructure, such as: + +- [Azure App Service](https://azure.microsoft.com/products/app-service/) (API version `2019-08-01` and above) +- [Azure VMs](https://azure.microsoft.com/free/virtual-machines/) +- [Azure Arc](/azure/azure-arc/overview) +- [Azure Cloud Shell](/azure/cloud-shell/overview) +- [Azure Service Fabric](/azure/service-fabric/service-fabric-overview) + +For a complete list, refer to [Azure services that can use managed identities to access other services](/azure/active-directory/managed-identities-azure-resources/managed-identities-status). + +## Which SDK to use - Azure SDK or MSAL? + +MSAL libraries provide lower level APIs that are closer to the OAuth2 and OIDC protocols. + +Both MSAL Python and Azure SDK allow to acquire tokens via managed identity. Internally, Azure SDK uses MSAL Python, and it provides a higher-level API via its [`DefaultAzureCredential`](/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python) and [`ManagedIdentityCredential`](/python/api/azure-identity/azure.identity.ManagedIdentityCredential?view=azure-python) abstractions. + +If your application already uses one of the SDKs, continue using the same SDK. + +- Use Azure SDK if you are writing a new application and plan to call other Azure resources, as this SDK provides a better developer experience by allowing the app to run on private developer machines where managed identity doesn't exist. +- Use MSAL if you need to call other downstream web APIs like Microsoft Graph or your own web API. + +## How to use managed identities + +There are two types of managed identities available to developers - **system-assigned** and **user-assigned**. You can learn more about the differences in the [Managed identity types](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types) article. MSAL Python supports acquiring tokens with both. MSAL Python logging allows to keep track of requests and related metadata. + +Prior to using managed identities from MSAL Python, developers must enable them for the resources they want to use through Azure CLI or the Azure Portal. + +## Examples + +### System-assigned managed identities From ac479cd0298f2b4857ca0d3d6f728519200c0ae6 Mon Sep 17 00:00:00 2001 From: Den <53200638+localden@users.noreply.github.com> Date: Tue, 25 Jun 2024 13:52:04 -0700 Subject: [PATCH 02/10] Update managed-identity.md --- msal-python-conceptual/advanced/managed-identity.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/msal-python-conceptual/advanced/managed-identity.md b/msal-python-conceptual/advanced/managed-identity.md index d6f47eb..d95b807 100644 --- a/msal-python-conceptual/advanced/managed-identity.md +++ b/msal-python-conceptual/advanced/managed-identity.md @@ -47,4 +47,6 @@ Prior to using managed identities from MSAL Python, developers must enable them ## Examples +In both system- and user-assigned identities, developers need to use to access managed identities. + ### System-assigned managed identities From 6feee76465187c2682c0cc0443ccd9e33a9f5834 Mon Sep 17 00:00:00 2001 From: Den <53200638+localden@users.noreply.github.com> Date: Tue, 25 Jun 2024 16:52:37 -0700 Subject: [PATCH 03/10] Add sample --- msal-python-conceptual/TOC.yml | 3 ++- .../advanced/managed-identity.md | 20 +++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/msal-python-conceptual/TOC.yml b/msal-python-conceptual/TOC.yml index a4009d8..6757266 100644 --- a/msal-python-conceptual/TOC.yml +++ b/msal-python-conceptual/TOC.yml @@ -25,7 +25,8 @@ href: advanced/aad-b2c.md - name: Active Directory Federation Services (ADFS) Support href: advanced/msal-python-adfs-support.md - - name: National clouds + - name: Using Managed Identity + href: advanced/managed-identity.md - name: Username and password authentication href: advanced/username-password-authentication.md - name: How to generate secret and/or certificate for Confidential Client diff --git a/msal-python-conceptual/advanced/managed-identity.md b/msal-python-conceptual/advanced/managed-identity.md index d95b807..f594f2a 100644 --- a/msal-python-conceptual/advanced/managed-identity.md +++ b/msal-python-conceptual/advanced/managed-identity.md @@ -50,3 +50,23 @@ Prior to using managed identities from MSAL Python, developers must enable them In both system- and user-assigned identities, developers need to use to access managed identities. ### System-assigned managed identities + +System-assigned managed identities can be used by instantiating and passing to . + +>[!NOTE] +>You also need to pass a `http_client` reference. + +```python +import msal +import requests + +managed_identity = msal.SystemAssignedManagedIdentity() + +global_app = msal.ManagedIdentityClient(managed_identity, http_client=requests.Session()) + +result = global_app.acquire_token_for_client(resource='https://vault.azure.net') + +if "access_token" in result: + print("Token obtained!") +``` + From 49c4b0d33c5f9106b4be985e2859c691653571e3 Mon Sep 17 00:00:00 2001 From: Den <53200638+localden@users.noreply.github.com> Date: Tue, 25 Jun 2024 17:23:45 -0700 Subject: [PATCH 04/10] Update managed-identity.md --- msal-python-conceptual/advanced/managed-identity.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/msal-python-conceptual/advanced/managed-identity.md b/msal-python-conceptual/advanced/managed-identity.md index f594f2a..fd01ac6 100644 --- a/msal-python-conceptual/advanced/managed-identity.md +++ b/msal-python-conceptual/advanced/managed-identity.md @@ -54,7 +54,9 @@ In both system- and user-assigned identities, developers need to use and passing to . >[!NOTE] ->You also need to pass a `http_client` reference. +>You also need to pass a `http_client` reference, which can be set to `requests.Session()`, which keeps track of a pool of connections to the IMDS endpoint. + +You can specify the target resource scope when calling [`acquire_token_for_client`](xref:msal.managed_identity.ManagedIdentityClient.acquire_token_for_client). ```python import msal From 7a8407036d8ec8cf307d00239efc97e960b95f52 Mon Sep 17 00:00:00 2001 From: Den <53200638+localden@users.noreply.github.com> Date: Tue, 25 Jun 2024 17:36:27 -0700 Subject: [PATCH 05/10] Update managed-identity.md --- .../advanced/managed-identity.md | 38 ++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/msal-python-conceptual/advanced/managed-identity.md b/msal-python-conceptual/advanced/managed-identity.md index fd01ac6..484b758 100644 --- a/msal-python-conceptual/advanced/managed-identity.md +++ b/msal-python-conceptual/advanced/managed-identity.md @@ -54,7 +54,7 @@ In both system- and user-assigned identities, developers need to use and passing to . >[!NOTE] ->You also need to pass a `http_client` reference, which can be set to `requests.Session()`, which keeps track of a pool of connections to the IMDS endpoint. +>You need to include a `http_client` reference, which can be set to `requests.Session()`. This enables MSAL to maintain a pool of connections to the IMDS endpoint. You can specify the target resource scope when calling [`acquire_token_for_client`](xref:msal.managed_identity.ManagedIdentityClient.acquire_token_for_client). @@ -72,3 +72,39 @@ if "access_token" in result: print("Token obtained!") ``` +>[!IMPORTANT] +>You need to enable a system-assigned identity for the resource where the Python code runs; otherwise, no token will be returned. + +### User-assigned managed identities + +User-assigned managed identities can be used by instantiating and passing to . You will need to specify the **one of the following**: + +- Client ID (`client_id`) +- Resource ID (`resource_id`) +- Object ID (`object_id`) + +>[!NOTE] +>You need to include a `http_client` reference, which can be set to `requests.Session()`. This enables MSAL to maintain a pool of connections to the IMDS endpoint. + +You can specify the target resource scope when calling [`acquire_token_for_client`](xref:msal.managed_identity.ManagedIdentityClient.acquire_token_for_client). + +```python +import msal +import requests + +managed_identity = msal.UserAssignedManagedIdentity(client_id='YOUR_CLIENT_ID') + +global_app = msal.ManagedIdentityClient(managed_identity, http_client=requests.Session()) + +result = global_app.acquire_token_for_client(resource='https://vault.azure.net') + +if "access_token" in result: + print("Token obtained!") +``` + +>[!IMPORTANT] +>You need to attach a user-assigned identity for the resource where the Python code runs; otherwise, no token will be returned. If an incorrect identifier is used for the user-assigned managed identity, no token will be returned as well. + +## Caching + +By default, MSAL Python supports in-memory caching. MSAL does not support cache extensibility for managed identity because of security concerns when using distributed cache. Since a token acquired for managed identity belongs to an Azure resource, using a distributed cache might expose it to the other Azure resources sharing the cache. \ No newline at end of file From 916dd97ef1482cdf08869f15d6b26a1a747975ef Mon Sep 17 00:00:00 2001 From: Den <53200638+localden@users.noreply.github.com> Date: Tue, 25 Jun 2024 17:36:43 -0700 Subject: [PATCH 06/10] Update managed-identity.md --- msal-python-conceptual/advanced/managed-identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/msal-python-conceptual/advanced/managed-identity.md b/msal-python-conceptual/advanced/managed-identity.md index 484b758..68010f3 100644 --- a/msal-python-conceptual/advanced/managed-identity.md +++ b/msal-python-conceptual/advanced/managed-identity.md @@ -32,7 +32,7 @@ For a complete list, refer to [Azure services that can use managed identities to MSAL libraries provide lower level APIs that are closer to the OAuth2 and OIDC protocols. -Both MSAL Python and Azure SDK allow to acquire tokens via managed identity. Internally, Azure SDK uses MSAL Python, and it provides a higher-level API via its [`DefaultAzureCredential`](/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python) and [`ManagedIdentityCredential`](/python/api/azure-identity/azure.identity.ManagedIdentityCredential?view=azure-python) abstractions. +Both MSAL Python and Azure SDK allow to acquire tokens via managed identity. Internally, Azure SDK uses MSAL Python, and it provides a higher-level API via its [`DefaultAzureCredential`](/python/api/azure-identity/azure.identity.defaultazurecredential) and [`ManagedIdentityCredential`](/python/api/azure-identity/azure.identity.ManagedIdentityCredential) abstractions. If your application already uses one of the SDKs, continue using the same SDK. From 4eeacfe3fb20d44a4b65ef85697ae5954cd75c1b Mon Sep 17 00:00:00 2001 From: Den Delimarsky <53200638+localden@users.noreply.github.com> Date: Fri, 28 Jun 2024 14:46:35 -0700 Subject: [PATCH 07/10] Update msal-python-conceptual/advanced/managed-identity.md Co-authored-by: Ray Luo --- msal-python-conceptual/advanced/managed-identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/msal-python-conceptual/advanced/managed-identity.md b/msal-python-conceptual/advanced/managed-identity.md index 68010f3..c99ffc6 100644 --- a/msal-python-conceptual/advanced/managed-identity.md +++ b/msal-python-conceptual/advanced/managed-identity.md @@ -20,7 +20,7 @@ ms.reviewer: rayluo MSAL Python supports acquiring tokens through the managed identity service when used with applications running inside Azure infrastructure, such as: -- [Azure App Service](https://azure.microsoft.com/products/app-service/) (API version `2019-08-01` and above) +- [Azure App Service](https://azure.microsoft.com/products/app-service/) (API version `2019-08-01`) - [Azure VMs](https://azure.microsoft.com/free/virtual-machines/) - [Azure Arc](/azure/azure-arc/overview) - [Azure Cloud Shell](/azure/cloud-shell/overview) From b33355f8eff15f2196a4235c546f39f2870c66f3 Mon Sep 17 00:00:00 2001 From: Den Delimarsky <53200638+localden@users.noreply.github.com> Date: Fri, 28 Jun 2024 14:52:24 -0700 Subject: [PATCH 08/10] Update msal-python-conceptual/advanced/managed-identity.md Co-authored-by: Ray Luo --- msal-python-conceptual/advanced/managed-identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/msal-python-conceptual/advanced/managed-identity.md b/msal-python-conceptual/advanced/managed-identity.md index c99ffc6..354a307 100644 --- a/msal-python-conceptual/advanced/managed-identity.md +++ b/msal-python-conceptual/advanced/managed-identity.md @@ -107,4 +107,4 @@ if "access_token" in result: ## Caching -By default, MSAL Python supports in-memory caching. MSAL does not support cache extensibility for managed identity because of security concerns when using distributed cache. Since a token acquired for managed identity belongs to an Azure resource, using a distributed cache might expose it to the other Azure resources sharing the cache. \ No newline at end of file +By default, MSAL Python supports in-memory caching. MSAL Python also support cache extensibility for managed identity, so that you may persist the token cache on disk. This can be useful if you are writing a command-line script in Python. We do not recommend sharing managed identity token cache among multiple machines. \ No newline at end of file From c362e24d312f080456ee4b6085c2ff407ddef99b Mon Sep 17 00:00:00 2001 From: Den <53200638+localden@users.noreply.github.com> Date: Fri, 28 Jun 2024 15:11:18 -0700 Subject: [PATCH 09/10] Update managed-identity.md --- msal-python-conceptual/advanced/managed-identity.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/msal-python-conceptual/advanced/managed-identity.md b/msal-python-conceptual/advanced/managed-identity.md index 354a307..910fd71 100644 --- a/msal-python-conceptual/advanced/managed-identity.md +++ b/msal-python-conceptual/advanced/managed-identity.md @@ -25,6 +25,7 @@ MSAL Python supports acquiring tokens through the managed identity service when - [Azure Arc](/azure/azure-arc/overview) - [Azure Cloud Shell](/azure/cloud-shell/overview) - [Azure Service Fabric](/azure/service-fabric/service-fabric-overview) +- [Azure ML](/azure/machine-learning/how-to-identity-based-service-authentication) For a complete list, refer to [Azure services that can use managed identities to access other services](/azure/active-directory/managed-identities-azure-resources/managed-identities-status). @@ -102,6 +103,9 @@ if "access_token" in result: print("Token obtained!") ``` +>[!NOTE] +>MSAL Python's [built-in Managed Identity (MI) sample](https://github.com/AzureAD/microsoft-authentication-library-for-python/blob/1.29.0/sample/managed_identity_sample.py#L38-L42) showcases how user-assigned managed identity can be inferred from environment variables. It's an advanced usage pattern that can be used instead of explicit definition of the client ID in code. + >[!IMPORTANT] >You need to attach a user-assigned identity for the resource where the Python code runs; otherwise, no token will be returned. If an incorrect identifier is used for the user-assigned managed identity, no token will be returned as well. From 5ca31614a49687b23425766650ae283930e99dfd Mon Sep 17 00:00:00 2001 From: Den <53200638+localden@users.noreply.github.com> Date: Fri, 28 Jun 2024 15:14:33 -0700 Subject: [PATCH 10/10] Update managed-identity.md --- msal-python-conceptual/advanced/managed-identity.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/msal-python-conceptual/advanced/managed-identity.md b/msal-python-conceptual/advanced/managed-identity.md index 910fd71..a16f1da 100644 --- a/msal-python-conceptual/advanced/managed-identity.md +++ b/msal-python-conceptual/advanced/managed-identity.md @@ -111,4 +111,7 @@ if "access_token" in result: ## Caching -By default, MSAL Python supports in-memory caching. MSAL Python also support cache extensibility for managed identity, so that you may persist the token cache on disk. This can be useful if you are writing a command-line script in Python. We do not recommend sharing managed identity token cache among multiple machines. \ No newline at end of file +By default, MSAL Python supports in-memory caching. + +>[!IMPORTANT] +>MSAL Python also supports cache extensibility for managed identity, so that you may persist the token cache on disk. This can be useful if you are writing a command-line script and a few other limited scenarios. We **do not recommend** sharing managed identity token cache among multiple machines as this can result in unexpected access behaviors for users of the cache.