DefaultAzureCredential Class
A credential capable of handling most Azure SDK authentication scenarios. See https://aka.ms/azsdk/python/identity/credential-chains#usage-guidance-for-defaultazurecredential.
The identity it uses depends on the environment. When an access token is needed, it requests one using these identities in turn, stopping when one provides a token:
A service principal configured by environment variables. See EnvironmentCredential for more details.
WorkloadIdentityCredential if environment variable configuration is set by the Azure workload identity webhook.
An Azure managed identity. See ManagedIdentityCredential for more details.
On Windows only: a user who has signed in with a Microsoft application, such as Visual Studio. If multiple identities are in the cache, then the value of the environment variable
AZURE_USERNAME
is used to select which identity to use. See SharedTokenCacheCredential for more details.The identity currently logged in to the Azure CLI.
The identity currently logged in to Azure PowerShell.
The identity currently logged in to the Azure Developer CLI.
This default behavior is configurable with keyword arguments.
- Inheritance
-
azure.identity.aio._credentials.chained.ChainedTokenCredentialDefaultAzureCredential
Constructor
DefaultAzureCredential(**kwargs: Any)
Keyword-Only Parameters
Name | Description |
---|---|
authority
|
Authority of a Microsoft Entra endpoint, for example 'login.microsoftonline.com', the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds. Managed identities ignore this because they reside in a single cloud. |
exclude_workload_identity_credential
|
Whether to exclude the workload identity from the credential. Defaults to False. |
exclude_developer_cli_credential
|
Whether to exclude the Azure Developer CLI from the credential. Defaults to False. |
exclude_cli_credential
|
Whether to exclude the Azure CLI from the credential. Defaults to False. |
exclude_environment_credential
|
Whether to exclude a service principal configured by environment variables from the credential. Defaults to False. |
exclude_powershell_credential
|
Whether to exclude Azure PowerShell. Defaults to False. |
exclude_visual_studio_code_credential
|
Whether to exclude stored credential from VS Code. Defaults to True. |
exclude_managed_identity_credential
|
Whether to exclude managed identity from the credential. Defaults to False. |
exclude_shared_token_cache_credential
|
Whether to exclude the shared token cache. Defaults to False. |
managed_identity_client_id
|
The client ID of a user-assigned managed identity. Defaults to the value of the environment variable AZURE_CLIENT_ID, if any. If not specified, a system-assigned identity will be used. |
workload_identity_client_id
|
The client ID of an identity assigned to the pod. Defaults to the value of the environment variable AZURE_CLIENT_ID, if any. If not specified, the pod's default identity will be used. |
workload_identity_tenant_id
|
Preferred tenant for WorkloadIdentityCredential. Defaults to the value of environment variable AZURE_TENANT_ID, if any. |
shared_cache_username
|
Preferred username for SharedTokenCacheCredential. Defaults to the value of environment variable AZURE_USERNAME, if any. |
shared_cache_tenant_id
|
Preferred tenant for SharedTokenCacheCredential. Defaults to the value of environment variable AZURE_TENANT_ID, if any. |
visual_studio_code_tenant_id
|
Tenant ID to use when authenticating with VisualStudioCodeCredential. Defaults to the "Azure: Tenant" setting in VS Code's user settings or, when that setting has no value, the "organizations" tenant, which supports only Azure Active Directory work or school accounts. |
process_timeout
|
The timeout in seconds to use for developer credentials that run subprocesses (e.g. AzureCliCredential, AzurePowerShellCredential). Defaults to 10 seconds. |
Examples
Create a DefaultAzureCredential.
from azure.identity.aio import DefaultAzureCredential
credential = DefaultAzureCredential()
Methods
close |
Close the transport sessions of all credentials in the chain. |
get_token |
Asynchronously request an access token for scopes. This method is called automatically by Azure SDK clients. |
get_token_info |
Asynchronously request an access token for scopes. This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. |
close
Close the transport sessions of all credentials in the chain.
async close() -> None
get_token
Asynchronously request an access token for scopes.
This method is called automatically by Azure SDK clients.
async get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, **kwargs: Any) -> AccessToken
Parameters
Name | Description |
---|---|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://zcusa.951200.xyz/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
Name | Description |
---|---|
claims
|
additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure. |
tenant_id
|
optional tenant to include in the token request. |
Returns
Type | Description |
---|---|
An access token with the desired scopes. |
Exceptions
Type | Description |
---|---|
authentication failed. The exception has a message attribute listing each authentication attempt and its error message. |
get_token_info
Asynchronously request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
async get_token_info(*scopes: str, options: TokenRequestOptions | None = None) -> AccessTokenInfo
Parameters
Name | Description |
---|---|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://zcusa.951200.xyz/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
Name | Description |
---|---|
options
|
A dictionary of options for the token request. Unknown options will be ignored. Optional. |
Returns
Type | Description |
---|---|
<xref:AccessTokenInfo>
|
An AccessTokenInfo instance containing information about the token. |
Exceptions
Type | Description |
---|---|
authentication failed. The exception has a message attribute listing each authentication attempt and its error message. |