Authenticate with the Azure Management Libraries for Python

Several options are available to authenticate your application with Azure when using the Python management libraries to create and manage resources.

Authenticate with token credentials

Store the credentials securely in a configuration file, the registry, or Azure KeyVault.

The following example uses a Service Principal for authentication.

Note

To create a service principal with the Azure CLI, use the following command:

az ad sp create-for-rbac --name "MY-PRINCIPAL-NAME" --password "STRONG-SECRET-PASSWORD"

To learn more about setting up service princpals with the CLI, see Create an Azure service principal with Azure CLI

from azure.common.credentials import ServicePrincipalCredentials

# Tenant ID for your Azure subscription
TENANT_ID = '<Your tenant ID>'

# Your service principal App ID
CLIENT = '<Your service principal ID>'

# Your service principal password
KEY = '<Your service principal password>'

credentials = ServicePrincipalCredentials(
    client_id = CLIENT,
    secret = KEY,
    tenant = TENANT_ID
)

[NOTE!] To connect to one of the Azure sovereign clouds, use the cloud_environment parameter.

from azure.common.credentials import ServicePrincipalCredentials
from msrestazure.azure_cloud import AZURE_CHINA_CLOUD

# Tenant ID for your Azure Subscription
TENANT_ID = 'ABCDEFGH-1234-1234-1234-ABCDEFGHIJKL'

# Your Service Principal App ID
CLIENT = 'a2ab11af-01aa-4759-8345-7803287dbd39'

# Your Service Principal Password
KEY = 'password'

credentials = ServicePrincipalCredentials(
    client_id = CLIENT,
    secret = KEY,
    tenant = TENANT_ID,
    cloud_environment = AZURE_CHINA_CLOUD
)

If you need more control, it is recommended to use ADAL and the SDK ADAL wrapper. Please refer to the ADAL website for all the available scenarios list and samples. For instance for service principal authentication:

import adal
from msrestazure.azure_active_directory import AdalAuthentication
from msrestazure.azure_cloud import AZURE_PUBLIC_CLOUD

# Tenant ID for your Azure Subscription
TENANT_ID = 'ABCDEFGH-1234-1234-1234-ABCDEFGHIJKL'

# Your Service Principal App ID
CLIENT = 'a2ab11af-01aa-4759-8345-7803287dbd39'

# Your Service Principal Password
KEY = 'password'

LOGIN_ENDPOINT = AZURE_PUBLIC_CLOUD.endpoints.active_directory
RESOURCE = AZURE_PUBLIC_CLOUD.endpoints.active_directory_resource_id

context = adal.AuthenticationContext(LOGIN_ENDPOINT + '/' + TENANT_ID)
credentials = AdalAuthentication(
    context.acquire_token_with_client_credentials,
    RESOURCE,
    CLIENT,
    KEY
)

All ADAL valid calls can be used with the AdalAuthentication class.

Next, create a client object to start working with the API:

from azure.mgmt.compute import ComputeManagementClient

# Your Azure Subscription ID
subscription_id = '33333333-3333-3333-3333-333333333333'

client = ComputeManagementClient(credentials, subscription_id)

[NOTE!] When using an Azure sovereign cloud you must also specify the appropriate base URL (via the constants in msrestazure.azure_cloud) when creating the management client. For example for Azure China Cloud:

client = ComputeManagementClient(credentials, subscription_id,
    base_url=AZURE_CHINA_CLOUD.endpoints.resource_manager)

File based authentication

The simplest way to authenticate is to create a JSON file that contains credentials for an Azure Service Principal. You can use the following CLI command to create a new Service Principal and this file at the same time:

az ad sp create-for-rbac --sdk-auth > mycredentials.json

Save this file in a secure location on your system where your code can read it. Set an environment variable with the full path to the file in your shell:

export AZURE_AUTH_LOCATION=~/.azure/azure_credentials.json

If you want to create the file yourself, please follow this format:

{
    "clientId": "<Service principal ID>",
    "clientSecret": "<Service principal secret/password>",
    "subscriptionId": "<Subscription associated with the service principal>",
    "tenantId": "<The service principal's tenant>",
    "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
    "resourceManagerEndpointUrl": "https://management.azure.com/",
    "activeDirectoryGraphResourceId": "https://graph.windows.net/",
    "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
    "galleryEndpointUrl": "https://gallery.azure.com/",
    "managementEndpointUrl": "https://management.core.windows.net/"
}

You can then create any client using the client factory:

from azure.common.client_factory import get_client_from_auth_file
from azure.mgmt.compute import ComputeManagementClient

client = get_client_from_auth_file(ComputeManagementClient)

Authenticate with Azure Managed Identities

Azure Managed Identity is a simple way for a resource in Azure to use SDK/CLI without the need to create specific credentials.

Important

To use managed identities, you must be connecting to Azure from an Azure resource, such as an Azure Function or a VM running in Azure. To learn how to configure a managed identity for a resource, see Configure managed identities for Azure resources and How to use managed identities for Azure resources.

from msrestazure.azure_active_directory import MSIAuthentication
from azure.mgmt.resource import ResourceManagementClient, SubscriptionClient

# Create MSI Authentication
credentials = MSIAuthentication()


# Create a Subscription Client
subscription_client = SubscriptionClient(credentials)
subscription = next(subscription_client.subscriptions.list())
subscription_id = subscription.subscription_id

# Create a Resource Management client
resource_client = ResourceManagementClient(credentials, subscription_id)


# List resource groups as an example. The only limit is what role and policy are assigned to this MSI token.
for resource_group in resource_client.resource_groups.list():
    print(resource_group.name)

CLI-based authentication

The SDK is able to create a client using the Azure CLI's active subscription.

Important

This should be used as quick start developer experience. For production purposes, use ADAL or your own credentials system. Any change to your CLI configuration will impact the SDK execution.

To define active credentials, use az login. Default subscription ID is either the only one you have, or you can define it using az account

from azure.common.client_factory import get_client_from_cli_profile
from azure.mgmt.compute import ComputeManagementClient

client = get_client_from_cli_profile(ComputeManagementClient)

Authenticate with token credentials (legacy)

In previous version of the SDK, ADAL was not yet available and we provided a UserPassCredentials class. This is considered deprecated and should not be used anymore.

This sample shows user/password scenario. This does not support 2FA.

from azure.common.credentials import UserPassCredentials

credentials = UserPassCredentials(
    'user@domain.com',
    'my_smart_password'
)