CertificateCredential Class

Authenticates as a service principal using a certificate.

The certificate must have an RSA private key, because this credential signs assertions using RS256. See Azure Active Directory documentation for more information on configuring certificate authentication.

Inheritance
azure.identity._internal.client_credential_base.ClientCredentialBase
CertificateCredential

Constructor

CertificateCredential(tenant_id, client_id, certificate_path=None, **kwargs)

Parameters

tenant_id
str
Required

ID of the service principal's tenant. Also called its "directory" ID.

client_id
str
Required

the service principal's client ID

certificate_path
str
Required

Optional path to a certificate file in PEM or PKCS12 format, including the private key. If not provided, certificate_data is required.

authority
str
Required

Authority of an Azure Active Directory endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.

certificate_data
bytes
Required

the bytes of a certificate in PEM or PKCS12 format, including the private key

password
str or bytes
Required

The certificate's password. If a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass appropriately encoded bytes instead.

send_certificate_chain
bool
Required

if True, the credential will send the public certificate chain in the x5c header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication. Defaults to False.

cache_persistence_options
TokenCachePersistenceOptions
Required

configuration for persistent token caching. If unspecified, the credential will cache tokens in memory.