Authenticate with the Azure management libraries for Python

This article shows you how to authenticate your application when using the Python management libraries. You have several options to authenticate your application with Azure.

Note

You need to verify your website works as expected with the upcoming changes in how cookies are handled in Google Chrome. Although the change helps prevent cross-site request forgery (CSRF) attacks, without proper remediation it will severely affect many applications and services that rely on today’s cookie handling defaults, including Microsoft cloud services or your own. This change is expected to roll out as the default Chrome behavior in release 80 that is targeted for February 4, 2020. For more information and details on how to test your app, see Potential disruption to customer websites and Microsoft products and services in Chrome version 79 and later.

Authenticate with token credentials

Store the credentials securely in a configuration file, the registry, or Azure KeyVault.

The following example uses a Service Principal for authentication.

Note

To create a service principal with the Azure CLI, use the following command:

az ad sp create-for-rbac --name "MY-PRINCIPAL-NAME" --password "STRONG-SECRET-PASSWORD"

To learn more about setting up service princpals with the CLI, see Create an Azure service principal with Azure CLI

from azure.common.credentials import ServicePrincipalCredentials

# Tenant ID for your Azure subscription
TENANT_ID = '<Your tenant ID>'

# Your service principal App ID
CLIENT = '<Your service principal ID>'

# Your service principal password
KEY = '<Your service principal password>'

credentials = ServicePrincipalCredentials(
    client_id = CLIENT,
    secret = KEY,
    tenant = TENANT_ID
)

Note

To connect to one of the Azure sovereign clouds, use the cloud_environment parameter.

from azure.common.credentials import ServicePrincipalCredentials
from msrestazure.azure_cloud import AZURE_CHINA_CLOUD

# Tenant ID for your Azure Subscription
TENANT_ID = 'ABCDEFGH-1234-1234-1234-ABCDEFGHIJKL'

# Your Service Principal App ID
CLIENT = 'a2ab11af-01aa-4759-8345-7803287dbd39'

# Your Service Principal Password
KEY = 'password'

credentials = ServicePrincipalCredentials(
    client_id = CLIENT,
    secret = KEY,
    tenant = TENANT_ID,
    cloud_environment = AZURE_CHINA_CLOUD
)

If you need more control, it is recommended to use ADAL and the SDK ADAL wrapper. Please refer to the ADAL website for all the available scenarios list and samples. For instance, for service principal authentication:

import adal
from msrestazure.azure_active_directory import AdalAuthentication
from msrestazure.azure_cloud import AZURE_PUBLIC_CLOUD

# Tenant ID for your Azure Subscription
TENANT_ID = 'ABCDEFGH-1234-1234-1234-ABCDEFGHIJKL'

# Your Service Principal App ID
CLIENT = 'a2ab11af-01aa-4759-8345-7803287dbd39'

# Your Service Principal Password
KEY = 'password'

LOGIN_ENDPOINT = AZURE_PUBLIC_CLOUD.endpoints.active_directory
RESOURCE = AZURE_PUBLIC_CLOUD.endpoints.active_directory_resource_id

context = adal.AuthenticationContext(LOGIN_ENDPOINT + '/' + TENANT_ID)
credentials = AdalAuthentication(
    context.acquire_token_with_client_credentials,
    RESOURCE,
    CLIENT,
    KEY
)

All ADAL valid calls can be used with the AdalAuthentication class.

Next, create a client object to start working with the API:

from azure.mgmt.compute import ComputeManagementClient

# Your Azure Subscription ID
subscription_id = '33333333-3333-3333-3333-333333333333'

client = ComputeManagementClient(credentials, subscription_id)

Note

When using an Azure sovereign cloud you must also specify the appropriate base URL (via the constants in msrestazure.azure_cloud) when creating the management client. For example for Azure China Cloud:

client = ComputeManagementClient(credentials, subscription_id,
    base_url=AZURE_CHINA_CLOUD.endpoints.resource_manager)

File based authentication

The simplest way to authenticate is to create a JSON file that contains credentials for an Azure Service Principal. You can use the following CLI command to create a new Service Principal and this file at the same time:

az ad sp create-for-rbac --sdk-auth > mycredentials.json

Save this file in a secure location on your system where your code can read it. Set an environment variable with the full path to the file in your shell:

export AZURE_AUTH_LOCATION=~/.azure/azure_credentials.json

If you want to create the file yourself, please follow this format:

{
    "clientId": "<Service principal ID>",
    "clientSecret": "<Service principal secret/password>",
    "subscriptionId": "<Subscription associated with the service principal>",
    "tenantId": "<The service principal's tenant>",
    "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
    "resourceManagerEndpointUrl": "https://management.azure.com/",
    "activeDirectoryGraphResourceId": "https://graph.windows.net/",
    "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
    "galleryEndpointUrl": "https://gallery.azure.com/",
    "managementEndpointUrl": "https://management.core.windows.net/"
}

You can then create any client using the client factory:

from azure.common.client_factory import get_client_from_auth_file
from azure.mgmt.compute import ComputeManagementClient

client = get_client_from_auth_file(ComputeManagementClient)

Authenticate with Azure Managed Identities

Azure Managed Identity is a simple way for a resource in Azure to use SDK/CLI without the need to create specific credentials.

Important

To use managed identities, you must be connecting to Azure from an Azure resource, such as an Azure Function or a VM running in Azure. To learn how to configure a managed identity for a resource, see Configure managed identities for Azure resources and How to use managed identities for Azure resources.

from msrestazure.azure_active_directory import MSIAuthentication
from azure.mgmt.resource import ResourceManagementClient, SubscriptionClient

# Create MSI Authentication
credentials = MSIAuthentication()


# Create a Subscription Client
subscription_client = SubscriptionClient(credentials)
subscription = next(subscription_client.subscriptions.list())
subscription_id = subscription.subscription_id

# Create a Resource Management client
resource_client = ResourceManagementClient(credentials, subscription_id)


# List resource groups as an example. The only limit is what role and policy are assigned to this MSI token.
for resource_group in resource_client.resource_groups.list():
    print(resource_group.name)

CLI-based authentication

The SDK is able to create a client using the Azure CLI's active subscription.

Important

This should be used as quick start developer experience. For production purposes, use ADAL or your own credentials system. Any change to your CLI configuration will impact the SDK execution.

To define active credentials, use az login. Default subscription ID is either the only one you have, or you can define it using az account

from azure.common.client_factory import get_client_from_cli_profile
from azure.mgmt.compute import ComputeManagementClient

client = get_client_from_cli_profile(ComputeManagementClient)

Authenticate with token credentials (legacy)

In previous version of the SDK, ADAL was not yet available and we provided a UserPassCredentials class. Using this class is considered deprecated and should not be used anymore.

This sample shows user/password scenario, which does not support 2FA.

from azure.common.credentials import UserPassCredentials

credentials = UserPassCredentials(
    'user@domain.com',
    'my_smart_password'
)