Authenticate Python applications on Azure using service principals

This article describes methods for authenticating applications with Azure services using explicit service principals.

If you haven't already, review the Authentication Overview for important details that apply to all authentication methods, namely assigning application identity, granting permissions to an identity, and when authentication and authorization occur when using Azure libraries.

When using explicit service principals, you aren't able to take advantage of managed identity for code that's deployed to the cloud. When used with production code, then, you must manage and maintain distinct service principals for your cloud applications.

Service principals for applications deployed to the cloud are managed in your subscriptions Active Directory. For more information, see How to manage service principals.

In all cases, the appropriate service principal or user must have appropriate permissions for the resources and operation in question.

Authenticate using environment variables

The EnvironmentCredential class authenticates a service principal using either a client secret or certificate as provided through environment variables.

# Show Azure subscription information
 
import os
from azure.mgmt.resource import SubscriptionClient
from azure.identity import EnvironmentCredential

# EnvironmentCredential assumes that the following environment variables are set:
#     AZURE_TENANT_ID
#     AZURE_CLIENT_ID
#
# Plus one of the following (which are attempted in this order):
#     AZURE_CLIENT_SECRET
#  or:
#     AZURE_CLIENT_CERTIFICATE_PATH
#  or:
#     AZURE_USERNAME and AZURE_PASSWORD

# NOTE: AZURE_SUBSCRIPTION_ID isn't used directly by EnvironmentCredential and is used here
# only for convenience. You can retrieve the subscription ID from any suitable source.
subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]

credential = EnvironmentCredential()

subscription_client = SubscriptionClient(credential)

subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)

Authenticate with token credentials

You can authenticate with the Azure libraries using explicit subscription, tenant, and client identifiers along with a client secret.

When using newer SDK libraries based on azure.core, use the ClientSecretCredential object from the azure.identity library. When using older SDK libraries, use ServicePrincipalCredentials from the azure.common library.

To migrate existing code that uses ServicePrincipalCredentials to a newer library version, replace uses of this class with ClientSecretCredential as illustrated in the following sections. Note the slight changes in the parameter names between the two constructors: tenant becomes tenant_id and secret becomes client_secret.

ClientSecretCredential (azure.identity)

# Show Azure subscription information

import os
from azure.mgmt.resource import SubscriptionClient
from azure.identity import ClientSecretCredential

# Retrieve the IDs and secret to use with ClientSecretCredential. NOTE: this code uses
# environment variables for convenience instead of retrieving the values from another source
# such as Azure Storage or Azure Key Vault. If you already have values in environment
# variables, just use EnvironmentCredential.

subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]
tenant_id = os.environ["AZURE_TENANT_ID"]
client_id = os.environ["AZURE_CLIENT_ID"]
client_secret = os.environ["AZURE_CLIENT_SECRET"]

credential = ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret)

subscription_client = SubscriptionClient(credential)

subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)

In this method, which is again used with newer libraries based on azure.core, you create a ClientSecretCredential object using credentials obtained from secure storage such as Azure Key Vault or environment variables. The previous code assumes that you've created the environment variables described in Configure your local dev environment.

ServicePrincipalCredentials (azure.common)

# Show Azure subscription information
 
import os
from azure.mgmt.resource import SubscriptionClient
from azure.common.credentials import ServicePrincipalCredentials

# Retrieve the IDs and secret to use with ServicePrincipalCredentials
subscription_id = os.environ["AZURE_SUBSCRIPTION_ID"]
tenant_id = os.environ["AZURE_TENANT_ID"]
client_id = os.environ["AZURE_CLIENT_ID"]
client_secret = os.environ["AZURE_CLIENT_SECRET"]

credential = ServicePrincipalCredentials(tenant=tenant_id, client_id=client_id, secret=client_secret)

subscription_client = SubscriptionClient(credential)

subscription = next(subscription_client.subscriptions.list())
print(subscription.subscription_id)

In this method, which is again used with older libraries not based on azure.core, you create a ServicePrincipalCredentials object using credentials obtained from secure storage such as Azure Key Vault or environment variables. The previous code assumes that you've created the environment variables described in Configure your local dev environment.

See also