azure-identity-py

Azure Identity SDK for Python authentication. Use for DefaultAzureCredential, managed identity, service principals, and token caching.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "azure-identity-py" with this command: npx skills add sickn33/antigravity-awesome-skills/sickn33-antigravity-awesome-skills-azure-identity-py

Azure Identity SDK for Python

Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).

Installation

pip install azure-identity

Environment Variables

# Service Principal (for production/CI)
AZURE_TENANT_ID=<your-tenant-id>
AZURE_CLIENT_ID=<your-client-id>
AZURE_CLIENT_SECRET=<your-client-secret>

# User-assigned Managed Identity (optional)
AZURE_CLIENT_ID=<managed-identity-client-id>

DefaultAzureCredential

The recommended credential for most scenarios. Tries multiple authentication methods in order:

from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient

# Works in local dev AND production without code changes
credential = DefaultAzureCredential()

client = BlobServiceClient(
    account_url="https://<account>.blob.core.windows.net",
    credential=credential
)

Credential Chain Order

OrderCredentialEnvironment
1EnvironmentCredentialCI/CD, containers
2WorkloadIdentityCredentialKubernetes
3ManagedIdentityCredentialAzure VMs, App Service, Functions
4SharedTokenCacheCredentialWindows only
5VisualStudioCodeCredentialVS Code with Azure extension
6AzureCliCredentialaz login
7AzurePowerShellCredentialConnect-AzAccount
8AzureDeveloperCliCredentialazd auth login

Customizing DefaultAzureCredential

# Exclude credentials you don't need
credential = DefaultAzureCredential(
    exclude_environment_credential=True,
    exclude_shared_token_cache_credential=True,
    managed_identity_client_id="<user-assigned-mi-client-id>"  # For user-assigned MI
)

# Enable interactive browser (disabled by default)
credential = DefaultAzureCredential(
    exclude_interactive_browser_credential=False
)

Specific Credential Types

ManagedIdentityCredential

For Azure-hosted resources (VMs, App Service, Functions, AKS):

from azure.identity import ManagedIdentityCredential

# System-assigned managed identity
credential = ManagedIdentityCredential()

# User-assigned managed identity
credential = ManagedIdentityCredential(
    client_id="<user-assigned-mi-client-id>"
)

ClientSecretCredential

For service principal with secret:

from azure.identity import ClientSecretCredential

credential = ClientSecretCredential(
    tenant_id=os.environ["AZURE_TENANT_ID"],
    client_id=os.environ["AZURE_CLIENT_ID"],
    client_secret=os.environ["AZURE_CLIENT_SECRET"]
)

AzureCliCredential

Uses the account from az login:

from azure.identity import AzureCliCredential

credential = AzureCliCredential()

ChainedTokenCredential

Custom credential chain:

from azure.identity import (
    ChainedTokenCredential,
    ManagedIdentityCredential,
    AzureCliCredential
)

# Try managed identity first, fall back to CLI
credential = ChainedTokenCredential(
    ManagedIdentityCredential(client_id="<user-assigned-mi-client-id>"),
    AzureCliCredential()
)

Credential Types Table

CredentialUse CaseAuth Method
DefaultAzureCredentialMost scenariosAuto-detect
ManagedIdentityCredentialAzure-hosted appsManaged Identity
ClientSecretCredentialService principalClient secret
ClientCertificateCredentialService principalCertificate
AzureCliCredentialLocal developmentAzure CLI
AzureDeveloperCliCredentialLocal developmentAzure Developer CLI
InteractiveBrowserCredentialUser sign-inBrowser OAuth
DeviceCodeCredentialHeadless/SSHDevice code flow

Getting Tokens Directly

from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()

# Get token for a specific scope
token = credential.get_token("https://management.azure.com/.default")
print(f"Token expires: {token.expires_on}")

# For Azure Database for PostgreSQL
token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")

Async Client

from azure.identity.aio import DefaultAzureCredential
from azure.storage.blob.aio import BlobServiceClient

async def main():
    credential = DefaultAzureCredential()
    
    async with BlobServiceClient(
        account_url="https://<account>.blob.core.windows.net",
        credential=credential
    ) as client:
        # ... async operations
        pass
    
    await credential.close()

Best Practices

  1. Use DefaultAzureCredential for code that runs locally and in Azure
  2. Never hardcode credentials — use environment variables or managed identity
  3. Prefer managed identity in production Azure deployments
  4. Use ChainedTokenCredential when you need a custom credential order
  5. Close async credentials explicitly or use context managers
  6. Set AZURE_CLIENT_ID for user-assigned managed identities
  7. Exclude unused credentials to speed up authentication

When to Use

This skill is applicable to execute the workflow or actions described in the overview.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

clean-code

No summary provided by upstream source.

Repository SourceNeeds Review
3.4K-sickn33
Coding

typescript-expert

No summary provided by upstream source.

Repository SourceNeeds Review
2.5K-sickn33
Coding

bun-development

No summary provided by upstream source.

Repository SourceNeeds Review
1.3K-sickn33
Coding

game-development

No summary provided by upstream source.

Repository SourceNeeds Review
1.2K-sickn33