CertificateCredential Class
Authenticates as a service principal using a certificate.
The certificate must have an RSA private key, because this credential signs assertions using RS256. See Microsoft Entra ID documentation for more information on configuring certificate authentication.
- Inheritance
-
azure.identity.aio._internal.AsyncContextManagerCertificateCredentialazure.identity.aio._internal.get_token_mixin.GetTokenMixinCertificateCredential
Constructor
CertificateCredential(tenant_id: str, client_id: str, certificate_path: str | None = None, **kwargs: Any)
Parameters
Name | Description |
---|---|
tenant_id
Required
|
ID of the service principal's tenant. Also called its 'directory' ID. |
client_id
Required
|
The service principal's client ID |
certificate_path
|
Path to a PEM-encoded certificate file including the private key. If not provided, certificate_data is required. Default value: None
|
Keyword-Only Parameters
Name | Description |
---|---|
authority
|
Authority of a Microsoft Entra endpoint, for example 'login.microsoftonline.com', the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds. |
certificate_data
|
The bytes of a certificate in PEM format, including the private key |
password
|
The certificate's password. If a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass appropriately encoded bytes instead. |
cache_persistence_options
|
Configuration for persistent token caching. If unspecified, the credential will cache tokens in memory. |
additionally_allowed_tenants
|
Specifies tenants in addition to the specified "tenant_id" for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application can access. |
Examples
Create a CertificateCredential.
from azure.identity.aio import CertificateCredential
credential = CertificateCredential(
tenant_id="<tenant_id>",
client_id="<client_id>",
certificate_path="<path to PEM/PKCS12 certificate>",
password="<certificate password if necessary>",
)
# Certificate/private key byte data can also be passed directly
credential = CertificateCredential(
tenant_id="<tenant_id>",
client_id="<client_id>",
certificate_data=b"<cert data>",
)
Methods
close |
Close the credential's transport session. |
get_token |
Request an access token for scopes. This method is called automatically by Azure SDK clients. |
get_token_info |
Request an access token for scopes. This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. |
close
Close the credential's transport session.
async close() -> None
get_token
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
async get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, enable_cae: bool = False, **kwargs: Any) -> AccessToken
Parameters
Name | Description |
---|---|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://zcusa.951200.xyz/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
Name | Description |
---|---|
claims
|
additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure. |
tenant_id
|
optional tenant to include in the token request. |
enable_cae
|
indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False. |
Returns
Type | Description |
---|---|
An access token with the desired scopes. |
Exceptions
Type | Description |
---|---|
the credential is unable to attempt authentication because it lacks required data, state, or platform support |
|
authentication failed. The error's |
get_token_info
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
async get_token_info(*scopes: str, options: TokenRequestOptions | None = None) -> AccessTokenInfo
Parameters
Name | Description |
---|---|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://zcusa.951200.xyz/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
Name | Description |
---|---|
options
|
A dictionary of options for the token request. Unknown options will be ignored. Optional. |
Returns
Type | Description |
---|---|
<xref:AccessTokenInfo>
|
An AccessTokenInfo instance containing information about the token. |
Exceptions
Type | Description |
---|---|
the credential is unable to attempt authentication because it lacks required data, state, or platform support |
|
authentication failed. The error's |
Azure SDK for Python