Spark
Sign In
Skill

Authenticate Azure Services Securely

Authentication library for Azure SDK clients using Microsoft Entra ID, with DefaultAzureCredential that auto-detects credentials across local dev and

Get skill
Works with azure
Antigravity
Maintainer?
73
Spark score
out of 100
Updated 3 months ago
Version 1.0.0
Add to Favorites

Why it matters

Streamline authentication for Azure services by leveraging Microsoft Entra ID (formerly Azure AD). This skill enables secure access for applications and services across various Azure environments, from local development to production deployments.

Outcomes

What it gets done

01

Implement secure authentication using DefaultAzureCredential.

02

Manage service principal and managed identity credentials.

03

Integrate with Azure SDK clients for seamless access.

04

Configure authentication for CI/CD pipelines and Kubernetes.

Install

Add it to your toolbox

Run in your project directory:

curl -fsSL https://spark.entire.vc/get/ag-azure-identity-py | bash

Capabilities

What this skill does

Manage secrets

Stores, rotates, and injects API keys and credentials.

Audit access

Reviews permissions and logs to flag unauthorized activity.

Deploy / CI

Runs build pipelines, tests, and deploys to environments.

Overview

Azure Identity SDK for Python

What it does

Authentication library for Azure SDK clients using Microsoft Entra ID, with DefaultAzureCredential that auto-detects credentials across local dev and production.

How it connects

This skill is applicable to execute the workflow or actions described in the overview.

Source README

Azure Identity SDK for Python

Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).

Installation

pip install azure-identity

Environment Variables

### Service Principal (for production/CI)
AZURE_TENANT_ID=<your-tenant-id>
AZURE_CLIENT_ID=<your-client-id>
AZURE_CLIENT_SECRET=<your-client-secret>

### User-assigned Managed Identity (optional)
AZURE_CLIENT_ID=<managed-identity-client-id>

DefaultAzureCredential

The recommended credential for most scenarios. Tries multiple authentication methods in order:

from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient

### Works in local dev AND production without code changes
credential = DefaultAzureCredential()

client = BlobServiceClient(
    account_url="https://<account>.blob.core.windows.net",
    credential=credential
)

Credential Chain Order

Order Credential Environment
1 EnvironmentCredential CI/CD, containers
2 WorkloadIdentityCredential Kubernetes
3 ManagedIdentityCredential Azure VMs, App Service, Functions
4 SharedTokenCacheCredential Windows only
5 VisualStudioCodeCredential VS Code with Azure extension
6 AzureCliCredential az login
7 AzurePowerShellCredential Connect-AzAccount
8 AzureDeveloperCliCredential azd auth login

Customizing DefaultAzureCredential

### Exclude credentials you don't need
credential = DefaultAzureCredential(
    exclude_environment_credential=True,
    exclude_shared_token_cache_credential=True,
    managed_identity_client_id="<user-assigned-mi-client-id>"  # For user-assigned MI
)

### Enable interactive browser (disabled by default)
credential = DefaultAzureCredential(
    exclude_interactive_browser_credential=False
)

Specific Credential Types

ManagedIdentityCredential

For Azure-hosted resources (VMs, App Service, Functions, AKS):

from azure.identity import ManagedIdentityCredential

### System-assigned managed identity
credential = ManagedIdentityCredential()

### User-assigned managed identity
credential = ManagedIdentityCredential(
    client_id="<user-assigned-mi-client-id>"
)

ClientSecretCredential

For service principal with secret:

from azure.identity import ClientSecretCredential

credential = ClientSecretCredential(
    tenant_id=os.environ["AZURE_TENANT_ID"],
    client_id=os.environ["AZURE_CLIENT_ID"],
    client_secret=os.environ["AZURE_CLIENT_SECRET"]
)

AzureCliCredential

Uses the account from az login:

from azure.identity import AzureCliCredential

credential = AzureCliCredential()

ChainedTokenCredential

Custom credential chain:

from azure.identity import (
    ChainedTokenCredential,
    ManagedIdentityCredential,
    AzureCliCredential
)

### Try managed identity first, fall back to CLI
credential = ChainedTokenCredential(
    ManagedIdentityCredential(client_id="<user-assigned-mi-client-id>"),
    AzureCliCredential()
)

Credential Types Table

Credential Use Case Auth Method
DefaultAzureCredential Most scenarios Auto-detect
ManagedIdentityCredential Azure-hosted apps Managed Identity
ClientSecretCredential Service principal Client secret
ClientCertificateCredential Service principal Certificate
AzureCliCredential Local development Azure CLI
AzureDeveloperCliCredential Local development Azure Developer CLI
InteractiveBrowserCredential User sign-in Browser OAuth
DeviceCodeCredential Headless/SSH Device code flow

Getting Tokens Directly

from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()

### Get token for a specific scope
token = credential.get_token("https://management.azure.com/.default")
print(f"Token expires: {token.expires_on}")

### For Azure Database for PostgreSQL
token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")

Async Client

from azure.identity.aio import DefaultAzureCredential
from azure.storage.blob.aio import BlobServiceClient

async def main():
    credential = DefaultAzureCredential()
    
    async with BlobServiceClient(
        account_url="https://<account>.blob.core.windows.net",
        credential=credential
    ) as client:
        # ... async operations
        pass
    
    await credential.close()

Best Practices

  1. Use DefaultAzureCredential for code that runs locally and in Azure
  2. Never hardcode credentials - use environment variables or managed identity
  3. Prefer managed identity in production Azure deployments
  4. Use ChainedTokenCredential when you need a custom credential order
  5. Close async credentials explicitly or use context managers
  6. Set AZURE_CLIENT_ID for user-assigned managed identities
  7. Exclude unused credentials to speed up authentication

When to Use

This skill is applicable to execute the workflow or actions described in the overview.

Limitations

  • Use this skill only when the task clearly matches the scope described above.
  • Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
  • Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.

Discussion

Questions & comments · 0

Sign In Sign in to leave a comment.