CertificateCredential Class

Authenticates as a service principal using a certificate.

The certificate must have an RSA private key, because this credential signs assertions using RS256. See Azure Active Directory documentation for more information on configuring certificate authentication.

Inheritance

azure.identity._internal.client_credential_base.ClientCredentialBase

CertificateCredential

Constructor

CertificateCredential(tenant_id: str, client_id: str, certificate_path: Optional[str] = None, **kwargs: Any)

Parameters

tenant_id

str

Required

ID of the service principal's tenant. Also called its "directory" ID.

client_id

str

Required

the service principal's client ID

certificate_path

str

default value: None

Optional path to a certificate file in PEM or PKCS12 format, including the private key. If not provided, certificate_data is required.

authority

str

Authority of an Azure Active Directory endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds.

certificate_data

bytes

the bytes of a certificate in PEM or PKCS12 format, including the private key

password

str or bytes

The certificate's password. If a unicode string, it will be encoded as UTF-8. If the certificate requires a different encoding, pass appropriately encoded bytes instead.

send_certificate_chain

bool

if True, the credential will send the public certificate chain in the x5c header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication. Defaults to False.

cache_persistence_options

TokenCachePersistenceOptions

configuration for persistent token caching. If unspecified, the credential will cache tokens in memory.