Azure Identity is a library that simplifies how applications authenticate with Azure services.
The following code news up a KeyVault SecretClient and passes it a DefaultAzureCredential object, which handles all of the OAuth complexities.
var client = new SecretClient(vaultUri, new DefaultAzureCredential());
public void createDefaultAzureCredential() {
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().build();
SecretClient client = new SecretClientBuilder()
.vaultUrl(vaultUri)
.credential(defaultCredential)
.buildClient();
}
cred = DefaultAzureCredential()
client = SecretClient(vault_url=vault_url, credential=cred)
const credential = new DefaultAzureCredential();
const client = new SecretClient(vaultUrl, credential);
Under the covers, DefaultAzureCredential will attempt to get a token from a number of token providers including Azure dev tools, such as the Azure CLI, Azure PowerShell, VS Code, Visual Studio, and IntelliJ. When deployed to production it also supports Managed Identity and Service Principal authentication without any code changes.
You can find all language packages, docs, and samples here: https://azure.com/sdk
1. Installation
Install the Azure Identity package
dotnet add package Azure.Identity
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>1.3.6</version>
</dependency>
pip install azure-identity
npm install --save @azure/identity
2. Code
Use DefaultAzureCredential in your app
var client = new SecretClient(vaultUri, new DefaultAzureCredential());
public void createDefaultAzureCredential() {
DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().build();
SecretClient client = new SecretClientBuilder()
.vaultUrl(vaultUri)
.credential(defaultCredential)
.buildClient();
}
cred = DefaultAzureCredential()
client = SecretClient(vault_url=vault_url, credential=cred)
const credential = new DefaultAzureCredential();
const client = new SecretClient(vaultUrl, credential);
3. Roles
Configure your account with the appropriate roles for the service you need to call. This explicitly tells Azure to allow your account to execute operations against Azure services.
For example, do the following when you need to give an account permissions to read Key Vault secrets:
- Get the Role ID
- Go to: Azure built-in roles
- Find the “Key Vault Secrets User” role ID:
4633458b-17de-408a-b874-0445c86b69e6
- Get your Azure account ID
- Use the Azure CLI to find your Azure account ID:
az ad signed-in-user show --query 'objectId' -o tsv
In my case it is: 6afb624e-739f-4bf3-b5f8-e11cab190039
- Assign your account the role
- Use the Azure CLI to create the role assignment
az role assignment create --assignee 6afb624e-739f-4bf3-b5f8-e11cab190039 --role 4633458b-17de-408a-b874-0445c86b69e6
See this post: How to find all the Azure Built-In Roles for Azure RBAC with Azure CLI, PowerShell, Docs, or AzAdvertizer to learn how to find and assign roles to your accounts. Here are the official docs with all the “Assign role” info you’ll need: Steps to assign an Azure role
You’ll likely want to switch over to assigning roles via or Infrastructure as Code method (Bicep, ARM, Terraform, etc), but this CLI approach will get your started.
4. Dev Environment Setup
Login to your favorite dev tool - DefaultAzureCredential will use it!
| Dev tool | Login command |
|---|---|
| Azure CLI | az login |
| Azure PowerShell | Connect-AzAccount |
| VS Code - Azure Extension | Azure: Sign in |
| Visual Studio | Tools > Options > Azure Service Authentication |
| IntelliJ - Azure Toolkit | Tools > Azure > Azure Sign In... |
| Browser Credential | If you don’t sign into any dev tool, then DefaultAzureCredential(true) will authenticate via the browser. Note that you need to pass true to the constructor to enable this. |
5. Production Setup
You have three options for configuring Azure Identity in a production environment in Azure.
Note that you’ll also need to assign the appropriate role for the Managed Identity, Certificate, or Service Principal account.
- Managed Identity
If you configure your Azure host (VM, AppService, Function) to use Managed Identities - DefaultAzureCredential will use it! You can read more about Managed Identities here: Azure AD-managed identities for Azure resources documentation
You can use either a System-Assigned or User-Assigned Managed Identity. To use a User-Assigned Managed Identity, then you’ll want to provide that client id via the DefaultAzureCredentialOptions.
You can learn more about System vs User Assigned Managed Identities here: What are managed identities for Azure resources?
- Certificate
If your Azure host doesn’t support Managed Identities, then your next best option is to use an X509 certificate. You’ll need to copy the certificate to the host and then populate the following environment variables:
AZURE_TENANT_IDAZURE_CLIENT_IDAZURE_CLIENT_CERTIFICATE_PATH- The path to the certificate.
You can learn more about authenticating with certificates here:
- Service Principal
If your Azure host doesn’t support Managed Identities and you can’t use certificates, then the final recommendation is to use a Service Principal. You can do so by setting the following environment variables:
AZURE_TENANT_IDAZURE_CLIENT_IDAZURE_CLIENT_SECRET
Azure Identity Series
This post is part of the Azure Identity blog post series:
Azure Identity 101 - DefaultAzureCredential
Azure Identity 201 - DefaultAzureCredential Options
Azure Identity 202 - Environment Variables
Azure Identity 301 - ChainedTokenCredential