Azure Identity 101 - DefaultAzureCredential

"Azure Identity 101"

Azure Identity is a library that simplifies how applications authenticate with Azure services.

The following code news up a KeyVault SecretClient and passes it a DefaultAzureCredential object, which handles all of the OAuth complexities.

var client = new SecretClient(vaultUri, new DefaultAzureCredential());
public void createDefaultAzureCredential() {
    DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().build();

    SecretClient client = new SecretClientBuilder()
        .vaultUrl(vaultUri)
        .credential(defaultCredential)
        .buildClient();
}
cred = DefaultAzureCredential()

client = SecretClient(vault_url=vault_url, credential=cred)

const credential = new DefaultAzureCredential();

const client = new SecretClient(vaultUrl, credential);

Under the covers, DefaultAzureCredential will attempt to get a token from a number of token providers including Azure dev tools, such as the Azure CLI, Azure PowerShell, VS Code, Visual Studio, and IntelliJ. When deployed to production it also supports Managed Identity and Service Principal authentication without any code changes.

You can find all language packages, docs, and samples here: https://azure.com/sdk

1. Installation

Install the Azure Identity package

dotnet add package Azure.Identity
<dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-identity</artifactId>
    <version>1.3.6</version>
</dependency>
pip install azure-identity
npm install --save @azure/identity

2. Code

Use DefaultAzureCredential in your app

var client = new SecretClient(vaultUri, new DefaultAzureCredential());
public void createDefaultAzureCredential() {
    DefaultAzureCredential defaultCredential = new DefaultAzureCredentialBuilder().build();

    SecretClient client = new SecretClientBuilder()
        .vaultUrl(vaultUri)
        .credential(defaultCredential)
        .buildClient();
}
cred = DefaultAzureCredential()

client = SecretClient(vault_url=vault_url, credential=cred)

const credential = new DefaultAzureCredential();

const client = new SecretClient(vaultUrl, credential);

3. Roles

Configure your account with the appropriate roles for the service you need to call. This explicitly tells Azure to allow your account to execute operations against Azure services.

For example, do the following when you need to give an account permissions to read Key Vault secrets:

  1. Get the Role ID
  • Go to: Azure built-in roles
  • Find the “Key Vault Secrets User” role ID: 4633458b-17de-408a-b874-0445c86b69e6

"Key Vault Secrets User Role"

  1. Get your Azure account ID
  • Use the Azure CLI to find your Azure account ID:
az ad signed-in-user show --query 'objectId' -o tsv

In my case it is: 6afb624e-739f-4bf3-b5f8-e11cab190039

  1. Assign your account the role
  • Use the Azure CLI to create the role assignment
az role assignment create --assignee 6afb624e-739f-4bf3-b5f8-e11cab190039 --role 4633458b-17de-408a-b874-0445c86b69e6

See this post: How to find all the Azure Built-In Roles for Azure RBAC with Azure CLI, PowerShell, Docs, or AzAdvertizer to learn how to find and assign roles to your accounts. Here are the official docs with all the “Assign role” info you’ll need: Steps to assign an Azure role

You’ll likely want to switch over to assigning roles via or Infrastructure as Code method (Bicep, ARM, Terraform, etc), but this CLI approach will get your started.

4. Dev Environment Setup

Login to your favorite dev tool - DefaultAzureCredential will use it!

Dev tool Login command
Azure CLI az login
Azure PowerShell Connect-AzAccount
VS Code - Azure Extension Azure: Sign in
Visual Studio Tools > Options > Azure Service Authentication
IntelliJ - Azure Toolkit Tools > Azure > Azure Sign In...
Browser Credential If you don’t sign into any dev tool, then DefaultAzureCredential(true) will authenticate via the browser. Note that you need to pass true to the constructor to enable this.

5. Production Setup

You have three options for configuring Azure Identity in a production environment in Azure.

Note that you’ll also need to assign the appropriate role for the Managed Identity, Certificate, or Service Principal account.

  1. Managed Identity

If you configure your Azure host (VM, AppService, Function) to use Managed Identities - DefaultAzureCredential will use it! You can read more about Managed Identities here: Azure AD-managed identities for Azure resources documentation

You can use either a System-Assigned or User-Assigned Managed Identity. To use a User-Assigned Managed Identity, then you’ll want to provide that client id via the DefaultAzureCredentialOptions.

You can learn more about System vs User Assigned Managed Identities here: What are managed identities for Azure resources?

  1. Certificate

If your Azure host doesn’t support Managed Identities, then your next best option is to use an X509 certificate. You’ll need to copy the certificate to the host and then populate the following environment variables:

  • AZURE_TENANT_ID
  • AZURE_CLIENT_ID
  • AZURE_CLIENT_CERTIFICATE_PATH - The path to the certificate.

You can learn more about authenticating with certificates here:

  1. Service Principal

If your Azure host doesn’t support Managed Identities and you can’t use certificates, then the final recommendation is to use a Service Principal. You can do so by setting the following environment variables:

  • AZURE_TENANT_ID
  • AZURE_CLIENT_ID
  • AZURE_CLIENT_SECRET

Azure Identity Series

This post is part of the Azure Identity blog post series:

Azure Identity 101 - DefaultAzureCredential
Azure Identity 201 - DefaultAzureCredential Options
Azure Identity 202 - Environment Variables
Azure Identity 301 - ChainedTokenCredential