DevOps & CloudDocumentedScanned
azure-identity-py
azure-identity-py skill for OpenClaw agents
Share:
Installation
npx clawhub@latest install azure-identity-pyView the full skill documentation and source below.
Documentation
Azure Identity SDK for Python
Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).
Installation
pip install azure-identityEnvironment Variables
# Service Principal (for production/CI)
AZURE_TENANT_ID=<your-tenant-id>
AZURE_CLIENT_ID=<your-client-id>
AZURE_CLIENT_SECRET=<your-client-secret>
# User-assigned Managed Identity (optional)
AZURE_CLIENT_ID=<managed-identity-client-id>DefaultAzureCredential
The recommended credential for most scenarios. Tries multiple authentication methods in order:
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient
# Works in local dev AND production without code changes
credential = DefaultAzureCredential()
client = BlobServiceClient(
account_url="",
credential=credential
)Credential Chain Order
| Order | Credential | Environment |
| 1 | EnvironmentCredential | CI/CD, containers |
| 2 | WorkloadIdentityCredential | Kubernetes |
| 3 | ManagedIdentityCredential | Azure VMs, App Service, Functions |
| 4 | SharedTokenCacheCredential | Windows only |
| 5 | VisualStudioCodeCredential | VS Code with Azure extension |
| 6 | AzureCliCredential | az login |
| 7 | AzurePowerShellCredential | Connect-AzAccount |
| 8 | AzureDeveloperCliCredential | azd auth login |
Customizing DefaultAzureCredential
# Exclude credentials you don't need
credential = DefaultAzureCredential(
exclude_environment_credential=True,
exclude_shared_token_cache_credential=True,
managed_identity_client_id="<user-assigned-mi-client-id>" # For user-assigned MI
)
# Enable interactive browser (disabled by default)
credential = DefaultAzureCredential(
exclude_interactive_browser_credential=False
)Specific Credential Types
ManagedIdentityCredential
For Azure-hosted resources (VMs, App Service, Functions, AKS):
from azure.identity import ManagedIdentityCredential
# System-assigned managed identity
credential = ManagedIdentityCredential()
# User-assigned managed identity
credential = ManagedIdentityCredential(
client_id="<user-assigned-mi-client-id>"
)ClientSecretCredential
For service principal with secret:
from azure.identity import ClientSecretCredential
credential = ClientSecretCredential(
tenant_id=os.environ["AZURE_TENANT_ID"],
client_id=os.environ["AZURE_CLIENT_ID"],
client_secret=os.environ["AZURE_CLIENT_SECRET"]
)AzureCliCredential
Uses the account from az login:
from azure.identity import AzureCliCredential
credential = AzureCliCredential()ChainedTokenCredential
Custom credential chain:
from azure.identity import (
ChainedTokenCredential,
ManagedIdentityCredential,
AzureCliCredential
)
# Try managed identity first, fall back to CLI
credential = ChainedTokenCredential(
ManagedIdentityCredential(client_id="<user-assigned-mi-client-id>"),
AzureCliCredential()
)Credential Types Table
| Credential | Use Case | Auth Method |
DefaultAzureCredential | Most scenarios | Auto-detect |
ManagedIdentityCredential | Azure-hosted apps | Managed Identity |
ClientSecretCredential | Service principal | Client secret |
ClientCertificateCredential | Service principal | Certificate |
AzureCliCredential | Local development | Azure CLI |
AzureDeveloperCliCredential | Local development | Azure Developer CLI |
InteractiveBrowserCredential | User sign-in | Browser OAuth |
DeviceCodeCredential | Headless/SSH | Device code flow |
Getting Tokens Directly
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
# Get token for a specific scope
token = credential.get_token("")
print(f"Token expires: {token.expires_on}")
# For Azure Database for PostgreSQL
token = credential.get_token("")Async Client
from azure.identity.aio import DefaultAzureCredential
from azure.storage.blob.aio import BlobServiceClient
async def main():
credential = DefaultAzureCredential()
async with BlobServiceClient(
account_url="",
credential=credential
) as client:
# ... async operations
pass
await credential.close()