EnvironmentCredential Class

A credential configured by environment variables.

This credential is capable of authenticating as a service principal using a client secret or a certificate, or as a user with a username and password. Configuration is attempted in this order, using these environment variables:

Service principal with secret:

  • AZURE_TENANT_ID: ID of the service principal's tenant. Also called its 'directory' ID.

  • AZURE_CLIENT_ID: the service principal's client ID

  • AZURE_CLIENT_SECRET: one of the service principal's client secrets

  • AZURE_AUTHORITY_HOST: authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud, which is the default when no value is given.

Service principal with certificate:

  • AZURE_TENANT_ID: ID of the service principal's tenant. Also called its 'directory' ID.

  • AZURE_CLIENT_ID: the service principal's client ID

  • AZURE_CLIENT_CERTIFICATE_PATH: path to a PEM or PKCS12 certificate file including the private key.

  • AZURE_CLIENT_CERTIFICATE_PASSWORD: (optional) password of the certificate file, if any.

  • AZURE_AUTHORITY_HOST: authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud, which is the default when no value is given.

Inheritance
azure.identity.aio._internal.AsyncContextManager
EnvironmentCredential

Constructor

EnvironmentCredential(**kwargs: Any)

Examples

Create an EnvironmentCredential.


   from azure.identity.aio import EnvironmentCredential

   credential = EnvironmentCredential()

Methods

close

Close the credential's transport session.

get_token

Asynchronously request an access token for scopes.

This method is called automatically by Azure SDK clients.

get_token_info

Request an access token for scopes.

This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.

close

Close the credential's transport session.

async close() -> None

get_token

Asynchronously request an access token for scopes.

This method is called automatically by Azure SDK clients.

async get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, **kwargs: Any) -> AccessToken

Parameters

Name Description
scopes
Required
str

desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword-Only Parameters

Name Description
claims
str

additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure.

tenant_id
str

optional tenant to include in the token request.

Returns

Type Description

An access token with the desired scopes.

Exceptions

Type Description

environment variable configuration is incomplete

get_token_info

Request an access token for scopes.

This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.

async get_token_info(*scopes: str, options: TokenRequestOptions | None = None) -> AccessTokenInfo

Parameters

Name Description
scopes
Required
str

desired scope for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword-Only Parameters

Name Description
options

A dictionary of options for the token request. Unknown options will be ignored. Optional.

Returns

Type Description
<xref:AccessTokenInfo>

An AccessTokenInfo instance containing information about the token.

Exceptions

Type Description

environment variable configuration is incomplete.