Jon Gallant

Azure Identity 101 - DefaultAzureCredential

5 min read
azureazure-identityazure-sdk

"Azure Identity 101"

Azure Identity is a library that simplifies how applications authenticate with Azure services.

The following code news up a KeyVault SecretClient and passes it a DefaultAzureCredential object, which handles all of the OAuth complexities.

var client = new SecretClient(vaultUri, new DefaultAzureCredential());


```text


```java


public void createDefaultAzureCredential() {
    DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().build();


    SecretClient client = new SecretClientBuilder()
        .vaultUrl(vaultUri)
        .credential(defaultCredential)
        .buildClient();
}


```text


```python


cred = DefaultAzureCredential()


client = SecretClient(vault_url=vault_url, credential=cred)


```text


```typescript


const credential = new DefaultAzureCredential();


const client = new SecretClient(vaultUrl, credential);


```python


Under the covers, `DefaultAzureCredential` will attempt to get a token from a number of token providers including Azure dev tools, such as the Azure CLI, Azure PowerShell, VS Code, Visual Studio, and IntelliJ. When deployed to production it also supports [Managed Identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview) and [Service Principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals) authentication without any code changes.


> You can find all language packages, docs, and samples here: [https://azure.com/sdk](https://azure.com/sdk)


## 1. Installation


Install the Azure Identity package


- [C#](#tabs-1)
- [Java](#tabs-2)
- [Python](#tabs-3)
- [TypeScript](#tabs-4)


```bash


dotnet add package Azure.Identity


```text


```xml


<dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-identity</artifactId>
    <version>1.3.6</version>
</dependency>


```text


```python


pip install azure-identity


```text


```typescript


npm install --save @azure/identity


```markdown


## 2. Code


Use DefaultAzureCredential in your app


- [C#](#tabs-1)
- [Java](#tabs-2)
- [Python](#tabs-3)
- [TypeScript](#tabs-4)


```csharp


var client = new SecretClient(vaultUri, new DefaultAzureCredential());


```text


```java


public void createDefaultAzureCredential() {
    DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().build();


    SecretClient client = new SecretClientBuilder()
        .vaultUrl(vaultUri)
        .credential(defaultCredential)
        .buildClient();
}


```text


```python


cred = DefaultAzureCredential()


client = SecretClient(vault_url=vault_url, credential=cred)


```text


```typescript


const credential = new DefaultAzureCredential();


const client = new SecretClient(vaultUrl, credential);


```markdown


## 3. Roles


Configure your account with the appropriate roles for the service you need to call. This explicitly tells Azure to allow your account to execute operations against Azure services.


For example, do the following when you need to give an account permissions to read Key Vault secrets:


1. Get the Role ID


- Go to: [Azure built-in roles](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)
- Find the “Key Vault Secrets User” role ID: `4633458b-17de-408a-b874-0445c86b69e6`


!["Key Vault Secrets User Role"](/images/azure-identity-101/105.png)


1. Get your Azure account ID


- Use the Azure CLI to find your Azure account ID:


```bash


az ad signed-in-user show --query 'objectId' -o tsv


```sql


In my case it is: `6afb624e-739f-4bf3-b5f8-e11cab190039`


1. Assign your account the role


- Use the Azure CLI to create the role assignment


```bash


az role assignment create --assignee 6afb624e-739f-4bf3-b5f8-e11cab190039 --role 4633458b-17de-408a-b874-0445c86b69e6

See this post: How to find all the Azure Built-In Roles for Azure RBAC with Azure CLI, PowerShell, Docs, or AzAdvertizer to learn how to find and assign roles to your accounts. Here are the official docs with all the “Assign role” info you’ll need: Steps to assign an Azure role

You’ll likely want to switch over to assigning roles via or Infrastructure as Code method (Bicep, ARM, Terraform, etc), but this CLI approach will get your started.

4. Dev Environment Setup

Login to your favorite dev tool - DefaultAzureCredential will use it!

Dev tool

Login command

Azure CLI

az login

Azure PowerShell

Connect-AzAccount

VS Code - Azure Extension

Azure: Sign in

Visual Studio

Tools > Options > Azure Service Authentication

IntelliJ - Azure Toolkit

Tools > Azure > Azure Sign In...

Browser Credential

If you don’t sign into any dev tool, then DefaultAzureCredential(true) will authenticate via the browser. Note that you need to pass true to the constructor to enable this.

5. Production Setup

You have three options for configuring Azure Identity in a production environment in Azure.

Note that you’ll also need to assign the appropriate role for the Managed Identity, Certificate, or Service Principal account.

  1. Managed Identity

If you configure your Azure host (VM, AppService, Function) to use Managed Identities - DefaultAzureCredential will use it! You can read more about Managed Identities here: Azure AD-managed identities for Azure resources documentation

You can use either a System-Assigned or User-Assigned Managed Identity. To use a User-Assigned Managed Identity, then you’ll want to provide that client id via the DefaultAzureCredentialOptions.

You can learn more about System vs User Assigned Managed Identities here: What are managed identities for Azure resources?

  1. Certificate

If your Azure host doesn’t support Managed Identities, then your next best option is to use an X509 certificate. You’ll need to copy the certificate to the host and then populate the following environment variables:

  • AZURE_TENANT_ID
  • AZURE_CLIENT_ID
  • AZURE_CLIENT_CERTIFICATE_PATH - The path to the certificate.

You can learn more about authenticating with certificates here:

Using the ClientCertificateCredential

Authenticating a service principal with a client certificate

CertificateCredential Class

Authenticating a service principal with a client certificate

  1. Service Principal

If your Azure host doesn’t support Managed Identities and you can’t use certificates, then the final recommendation is to use a Service Principal. You can do so by setting the following environment variables:

  • AZURE_TENANT_ID
  • AZURE_CLIENT_ID
  • AZURE_CLIENT_SECRET

Azure Identity Series

This post is part of the Azure Identity blog post series:

Azure Identity 101 - DefaultAzureCredential Azure Identity 201 - DefaultAzureCredential Options Azure Identity 202 - Environment Variables Azure Identity 301 - ChainedTokenCredential

Share:
Share on X