Azure Identity 101 - DefaultAzureCredential

"Azure Identity 101"

Azure Identity is a library that simplifies how applications authenticate with Azure services.

The following code news up a KeyVault SecretClient and passes it a DefaultAzureCredential object, which handles all of the OAuth complexities.

var client = new SecretClient(vaultUri, new DefaultAzureCredential());

Under the covers, DefaultAzureCredential will attempt to get a token from a number of token providers including Azure dev tools, such as the Azure CLI, Azure PowerShell, VS Code, Visual Studio, and IntelliJ. When deployed to production it also supports Managed Identity and Service Principal authentication without any code changes.

Here’s how to get it all setup for .NET - see https://azure.com/sdk for other languages.

1. Installation

Install the Azure Identity package

dotnet add package Azure.Identity

You can find all language packages, docs, and samples here: https://azure.com/sdk

2. Code

Use DefaultAzureCredential in your app

var client = new SecretClient(vaultUri, new DefaultAzureCredential());

3. Roles

Configure your account with the appropriate roles for the service you need to call. This explicitly tells Azure to allow your account to execute operations against Azure services.

For example, if you need to give your account permissions to read Key Vault secrets.

  1. Get the Role ID
  • Go to: Azure built-in roles
  • Find the “Key Vault Secrets User” role ID: 4633458b-17de-408a-b874-0445c86b69e6

"Key Vault Secrets User Role"

  1. Get your Azure account ID
  • Use the Azure CLI to find your Azure account ID:
az ad signed-in-user show --query 'objectId' -o tsv

In my case it is: 6afb624e-739f-4bf3-b5f8-e11cab190039

  1. Assign your account the role
  • Use the Azure CLI to create the role assignment
az role assignment create --assignee 6afb624e-739f-4bf3-b5f8-e11cab190039 --role 4633458b-17de-408a-b874-0445c86b69e6

See this post: https://blog.jongallant.com/2020/05/azure-roles/ to learn how to find and assign roles to your accounts. Here are the official docs with all the “Assign role” info you’ll need: https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-steps

You’ll likely want to switch over to assigning roles via or Infrastructure as Code method (Bicep, ARM, Terraform, etc), but this CLI approach will get your started.

4. Dev Environment Setup

Login to your favorite dev tool - DefaultAzureCredential will use it!

Dev tool Login command
Azure CLI az login
Azure PowerShell Connect-AzAccount
VS Code - Azure Extension Azure: Sign in
Visual Studio Tools > Options > Azure Service Authentication
IntelliJ - Azure Toolkit Tools > Azure > Azure Sign In...
Browser Credential If you don’t sign into any dev tool, then DefaultAzureCredential(true) will authenticate via the browser. Note that you need to pass true to the ctor to enable this.

5. Production Setup

You have three options for configuring Azure Identity in a production environment in Azure.

Note that you’ll also need to assign the appropriate role for the Managed Identity, Certificate, or Service Principal account.

  1. Managed Identity

If you configure your Azure host (VM, AppService, Function) to use Managed Identities - DefaultAzureCredential will use it! You can read more about Managed Identities here: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/

You can use either a System-Assigned or User-Assigned Managed Identity. To use a User-Assigned Managed Identity, then you’ll want to provide that client id via the DefaultAzureCredentialOptions. You can learn more about System vs User Assigned Managed Identities here: What are managed identities for Azure resources?

  1. Certificate

If your Azure host doesn’t support Managed Identities, then your next best option is to use an X509 certificate. You’ll need to copy the certificate to the host and then populate the following environment variables:

  • AZURE_TENANT_ID
  • AZURE_CLIENT_ID
  • AZURE_CLIENT_CERTIFICATE_PATH - The path to the certificate.

You can learn more about authenticating with certificates here: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/samples/ClientCertificateCredentialSamples.md

  1. Service Principal

If your Azure host doesn’t support Managed Identities and you can’t use certificates, then the final recommendation is to use a Service Principal. You can do so by setting the following environment variables:

  • AZURE_TENANT_ID
  • AZURE_CLIENT_ID
  • AZURE_CLIENT_SECRET

More information

This post just scratched the surface on Azure Identity. There’s a lot more to learn, like how to configure each of the clients, how to create your own chain of credential types, and much more. Head on over to https://azure.com/sdk, select your language, find the Identity package, and explore the docs.

Reach out to me or comment below with any questions.

Head on over to part 2 of this Azure Identity series: Azure Identity 201 to learn more about all the ways you can customize DefaultAzureCredential

Jon