Authenticate with the Azure libraries for Java

Connect to services with connection strings

Most Azure service libraries use a connection string or secure key for authentication. For example, SQL Database includes username and password information in the JDBC connection string:

String url = "jdbc:sqlserver://myazuredb.database.windows.net:1433;" + 
        "database=testjavadb;" + 
        "user=myazdbuser;" +
        "password=myazdbpass;" +
        "encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;";
        Connection conn = DriverManager.getConnection(url);

Azure Storage uses a storage key to authorize the application:

final String storageConnection = "DefaultEndpointsProtocol=https;"
        + "AccountName=" + storageName 
        + ";AccountKey=" + storageKey
        + ";EndpointSuffix=core.windows.net";

Service connection strings are used to authenticate to other Azure services like DocumentDB, Redis Cache, and Service Bus. You can get the connection strings using the Azure portal or the CLI. You can also use the Azure management libraries for Java to query resources to build connection strings in your code.

For example, this code uses the management libraries to create a storage account connection string:

// create a new storage account
StorageAccount storage = azure.storageAccounts().getByResourceGroup("myResourceGroup","myStorageAccount");

// create a storage container to hold the file
List<StorageAccountKey> keys = storage.getKeys();
final String storageConnection = "DefaultEndpointsProtocol=https;"
        + "AccountName=" + storage.name()
        + ";AccountKey=" + keys.get(0).value()
        + ";EndpointSuffix=core.windows.net";

Other libraries require your application to run with a service prinicpal authorizing the application to run with granted credentials. This configuration is similar to the object-based authentication steps for the management library listed below.

Authenticate with the Azure management libraries for Java

Two options are available to authenticate your application with Azure when using the Java management libraries to create and manage resources.

Authenticate with an ApplicationTokenCredentials object

Create an instance of ApplicationTokenCredentials to supply the service principal credentials to the top-level Azure object from inside your code.

import com.microsoft.azure.credentials.ApplicationTokenCredentials;
import com.microsoft.azure.AzureEnvironment;

// ...

ApplicationTokenCredentials credentials = new ApplicationTokenCredentials(client, 
        tenant,
        key, 
        AzureEnvironment.AZURE);

Azure azure = Azure
        .configure()
        .withLogLevel(LogLevel.NONE)
        .authenticate(credentials)
        .withDefaultSubscription();

The client, tenant and key are the same service principal values used with file-based authentication. The AzureEnvironment.AZURE value creates credentials against the Azure public cloud. Change this to a different value if you need to access another cloud (for example, AzureEnvironment.AZURE_GERMANY).

Read the service principal values from environment variables or a secret management store like Key Vault. Avoid setting these values as cleartext strings in your code to prevent accidentally exposing credentials in your version control history.

File based authentication (Preview)

The simplest way to authenticate is to create a properties file that contains credentials for an Azure service principal using the following format:

# sample management library properties file
subscription=########-####-####-####-############
client=########-####-####-####-############
key=XXXXXXXXXXXXXXXX
tenant=########-####-####-####-############
managementURI=https\://management.core.windows.net/
baseURL=https\://management.azure.com/
authURL=https\://login.windows.net/
graphURL=https\://graph.windows.net/
  • subscription: use the id value from az account show in the Azure CLI 2.0.
  • client: use the appId value from the output taken from a service principal created to run the application. If you don't have a service principal for your app, create one with the Azure CLI 2.0.
  • key: use the password value from the service principal create CLI output
  • tenant: use the tenant value from the service principal create CLI output

Save this file in a secure location on your system where your code can read it. Set an environment variable with the full path to the file in your shell:

export AZURE_AUTH_LOCATION=/Users/raisa/azureauth.properties

Create the entry point Azure object to start working with the libraries. Read the location of the properties file through the environment variable.

// pull in the location of the authenticaiton properties file from the environment 
final File credFile = new File(System.getenv("AZURE_AUTH_LOCATION"));

Azure azure = Azure
        .configure()
        .withLogLevel(LogLevel.NONE)
        .authenticate(credFile)
        .withDefaultSubscription();