azure-identity-py
DevOps & Cloud
v0.1.0
BenignAzure Identity SDK for Python authentication.
11.7K downloads1.7K installsby @thegovind
Setup & Installation
Install command
clawhub install thegovind/azure-identity-pyIf the CLI is not installed:
Install command
npx clawhub@latest install thegovind/azure-identity-pyOr install with OpenClaw CLI:
Install command
openclaw skills install thegovind/azure-identity-pyor paste the repo link into your assistant's chat
Install command
https://github.com/openclaw/skills/tree/main/skills/thegovind/azure-identity-pyWhat This Skill Does
Python authentication library for Azure SDK clients, using Microsoft Entra ID (formerly Azure AD). Supports DefaultAzureCredential for automatic credential detection, plus specific credential types for managed identity, service principals, and CLI-based auth.
DefaultAzureCredential's ordered credential chain means one line of code works in local dev, containers, and Azure-hosted environments without any conditional logic.
When to Use It
- Authenticate to Azure Blob Storage without hardcoded credentials
- Run the same auth code locally with az login and in production with managed identity
- Authenticate a CI/CD pipeline to Azure using service principal environment variables
- Give an AKS pod access to Azure resources via workload identity
- Get short-lived access tokens for Azure Database for PostgreSQL
View original SKILL.md file
# Azure Identity SDK for Python
Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).
## Installation
```bash
pip install azure-identity
```
## Environment Variables
```bash
# Service Principal (for production/CI)
AZURE_TENANT_ID=<your-tenant-id>
AZURE_CLIENT_ID=<your-client-id>
AZURE_CLIENT_SECRET=<your-client-secret>
# User-assigned Managed Identity (optional)
AZURE_CLIENT_ID=<managed-identity-client-id>
```
## DefaultAzureCredential
The recommended credential for most scenarios. Tries multiple authentication methods in order:
```python
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient
# Works in local dev AND production without code changes
credential = DefaultAzureCredential()
client = BlobServiceClient(
account_url="https://<account>.blob.core.windows.net",
credential=credential
)
```
### Credential Chain Order
| Order | Credential | Environment |
|-------|-----------|-------------|
| 1 | EnvironmentCredential | CI/CD, containers |
| 2 | WorkloadIdentityCredential | Kubernetes |
| 3 | ManagedIdentityCredential | Azure VMs, App Service, Functions |
| 4 | SharedTokenCacheCredential | Windows only |
| 5 | VisualStudioCodeCredential | VS Code with Azure extension |
| 6 | AzureCliCredential | `az login` |
| 7 | AzurePowerShellCredential | `Connect-AzAccount` |
| 8 | AzureDeveloperCliCredential | `azd auth login` |
### Customizing DefaultAzureCredential
```python
# Exclude credentials you don't need
credential = DefaultAzureCredential(
exclude_environment_credential=True,
exclude_shared_token_cache_credential=True,
managed_identity_client_id="<user-assigned-mi-client-id>" # For user-assigned MI
)
# Enable interactive browser (disabled by default)
credential = DefaultAzureCredential(
exclude_interactive_browser_credential=False
)
```
## Specific Credential Types
### ManagedIdentityCredential
For Azure-hosted resources (VMs, App Service, Functions, AKS):
```python
from azure.identity import ManagedIdentityCredential
# System-assigned managed identity
credential = ManagedIdentityCredential()
# User-assigned managed identity
credential = ManagedIdentityCredential(
client_id="<user-assigned-mi-client-id>"
)
```
### ClientSecretCredential
For service principal with secret:
```python
from azure.identity import ClientSecretCredential
credential = ClientSecretCredential(
tenant_id=os.environ["AZURE_TENANT_ID"],
client_id=os.environ["AZURE_CLIENT_ID"],
client_secret=os.environ["AZURE_CLIENT_SECRET"]
)
```
### AzureCliCredential
Uses the account from `az login`:
```python
from azure.identity import AzureCliCredential
credential = AzureCliCredential()
```
### ChainedTokenCredential
Custom credential chain:
```python
from azure.identity import (
ChainedTokenCredential,
ManagedIdentityCredential,
AzureCliCredential
)
# Try managed identity first, fall back to CLI
credential = ChainedTokenCredential(
ManagedIdentityCredential(client_id="<user-assigned-mi-client-id>"),
AzureCliCredential()
)
```
## Credential Types Table
| Credential | Use Case | Auth Method |
|------------|----------|-------------|
| `DefaultAzureCredential` | Most scenarios | Auto-detect |
| `ManagedIdentityCredential` | Azure-hosted apps | Managed Identity |
| `ClientSecretCredential` | Service principal | Client secret |
| `ClientCertificateCredential` | Service principal | Certificate |
| `AzureCliCredential` | Local development | Azure CLI |
| `AzureDeveloperCliCredential` | Local development | Azure Developer CLI |
| `InteractiveBrowserCredential` | User sign-in | Browser OAuth |
| `DeviceCodeCredential` | Headless/SSH | Device code flow |
## Getting Tokens Directly
```python
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
# Get token for a specific scope
token = credential.get_token("https://management.azure.com/.default")
print(f"Token expires: {token.expires_on}")
# For Azure Database for PostgreSQL
token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")
```
## Async Client
```python
from azure.identity.aio import DefaultAzureCredential
from azure.storage.blob.aio import BlobServiceClient
async def main():
credential = DefaultAzureCredential()
async with BlobServiceClient(
account_url="https://<account>.blob.core.windows.net",
credential=credential
) as client:
# ... async operations
pass
await credential.close()
```
## Best Practices
1. **Use DefaultAzureCredential** for code that runs locally and in Azure
2. **Never hardcode credentials** — use environment variables or managed identity
3. **Prefer managed identity** in production Azure deployments
4. **Use ChainedTokenCredential** when you need a custom credential order
5. **Close async credentials** explicitly or use context managers
6. **Set AZURE_CLIENT_ID** for user-assigned managed identities
7. **Exclude unused credentials** to speed up authentication
Example Workflow
Here's how your AI assistant might use this skill in practice.
INPUT
User asks: Authenticate to Azure Blob Storage without hardcoded credentials
AGENT
- 1Authenticate to Azure Blob Storage without hardcoded credentials
- 2Run the same auth code locally with az login and in production with managed identity
- 3Authenticate a CI/CD pipeline to Azure using service principal environment variables
- 4Give an AKS pod access to Azure resources via workload identity
- 5Get short-lived access tokens for Azure Database for PostgreSQL
OUTPUT
Azure Identity SDK for Python authentication.
Security Audits
VirusTotalBenign
OpenClawBenign
View full reportThese signals reflect official OpenClaw status values. A Suspicious status means the skill should be used with extra caution.