Authenticate with the Azure Management Libraries for Python

Several options are available to authenticate your application with Azure when using the Python management libraries to create and manage resources.

Authenticate with token credentials

Store the credentials securely in a configuration file, the registry, or Azure KeyVault.

The following example uses a Service Principal for authentication.

Note

You can create a Service Principal via the Azure CLI 2.0

az ad sp create-for-rbac --name "MY-PRINCIPAL-NAME" --password "STRONG-SECRET-PASSWORD"
    from azure.common.credentials import ServicePrincipalCredentials

    # Tenant ID for your Azure Subscription
    TENANT_ID = 'ABCDEFGH-1234-1234-1234-ABCDEFGHIJKL'

    # Your Service Principal App ID
    CLIENT = 'a2ab11af-01aa-4759-8345-7803287dbd39'

    # Your Service Principal Password
    KEY = 'password'

    credentials = ServicePrincipalCredentials(
        client_id = CLIENT,
        secret = KEY,
        tenant = TENANT_ID
    )

[NOTE!] To connect to one of the Azure sovereign clouds, use the cloud_environment parameter.

    from azure.common.credentials import ServicePrincipalCredentials
    from msrestazure.azure_cloud import AZURE_CHINA_CLOUD

    # Tenant ID for your Azure Subscription
    TENANT_ID = 'ABCDEFGH-1234-1234-1234-ABCDEFGHIJKL'

    # Your Service Principal App ID
    CLIENT = 'a2ab11af-01aa-4759-8345-7803287dbd39'

    # Your Service Principal Password
    KEY = 'password'

    credentials = ServicePrincipalCredentials(
        client_id = CLIENT,
        secret = KEY,
        tenant = TENANT_ID,
        cloud_environment = AZURE_CHINA_CLOUD
    )

If you need more control, it is recommended to use ADAL and the SDK ADAL wrapper. Please refer to the ADAL website for all the available scenarios list and samples. For instance for service principal authentication:

    import adal
    from msrestazure.azure_active_directory import AdalAuthentication
    from msrestazure.azure_cloud import AZURE_PUBLIC_CLOUD

    # Tenant ID for your Azure Subscription
    TENANT_ID = 'ABCDEFGH-1234-1234-1234-ABCDEFGHIJKL'

    # Your Service Principal App ID
    CLIENT = 'a2ab11af-01aa-4759-8345-7803287dbd39'

    # Your Service Principal Password
    KEY = 'password'

    LOGIN_ENDPOINT = AZURE_PUBLIC_CLOUD.endpoints.active_directory
    RESOURCE = AZURE_PUBLIC_CLOUD.endpoints.active_directory_resource_id

    context = adal.AuthenticationContext(LOGIN_ENDPOINT + '/' + TENANT_ID)
    credentials = AdalAuthentication(
        context.acquire_token_with_client_credentials,
        RESOURCE,
        CLIENT,
        KEY
    )

All ADAL valid calls can be used with the AdalAuthentication class.

Next, create a client object to start working with the API:

from azure.mgmt.compute import ComputeManagementClient

# Your Azure Subscription ID
subscription_id = '33333333-3333-3333-3333-333333333333'

client = ComputeManagementClient(credentials, subscription_id)

[NOTE!] When using an Azure sovereign cloud you must also specify the appropriate base URL (via the constants in msrestazure.azure_cloud) when creating the management client. For example for Azure China Cloud:

client = ComputeManagementClient(credentials, subscription_id,
    base_url=AZURE_CHINA_CLOUD.endpoints.active_directory_resource_id)

File based authentication

The simplest way to authenticate is to create a JSON file that contains credentials for an Azure Service Principal. You can use the following CLI command to create a new Service Principal and this file at the same time:

az ad sp create-for-rbac --sdk-auth > mycredentials.json

Save this file in a secure location on your system where your code can read it. Set an environment variable with the full path to the file in your shell:

export AZURE_AUTH_LOCATION=~/.azure/azure_credentials.json

If you want to create the file yourself, please follow this format:

{
    "clientId": "ad735158-65ca-11e7-ba4d-ecb1d756380e",
    "clientSecret": "b70bb224-65ca-11e7-810c-ecb1d756380e",
    "subscriptionId": "bfc42d3a-65ca-11e7-95cf-ecb1d756380e",
    "tenantId": "c81da1d8-65ca-11e7-b1d1-ecb1d756380e",
    "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
    "resourceManagerEndpointUrl": "https://management.azure.com/",
    "activeDirectoryGraphResourceId": "https://graph.windows.net/",
    "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
    "galleryEndpointUrl": "https://gallery.azure.com/",
    "managementEndpointUrl": "https://management.core.windows.net/"
}

You can then create any client using the client factory:

from azure.common.client_factory import get_client_from_auth_file
from azure.mgmt.compute import ComputeManagementClient

client = get_client_from_auth_file(ComputeManagementClient)

Authenticate with Managed Service Identity(MSI)

MSI is a simple way for a resource in Azure to use SDK/CLI without the need to create specific credentials.

from msrestazure.azure_active_directory import MSIAuthentication
from azure.mgmt.resource import ResourceManagementClient, SubscriptionClient

    # Create MSI Authentication
    credentials = MSIAuthentication()


    # Create a Subscription Client
    subscription_client = SubscriptionClient(credentials)
    subscription = next(subscription_client.subscriptions.list())
    subscription_id = subscription.subscription_id

    # Create a Resource Management client
    resource_client = ResourceManagementClient(credentials, subscription_id)


    # List resource groups as an example. The only limit is what role and policy are assigned to this MSI token.
    for resource_group in resource_client.resource_groups.list():
        print(resource_group.name)

CLI-based authentication

The SDK is able to create a client using your CLI active subscription.

Important

This should be used as quick start developer experience. For production purposes, use ADAL or your own credentials system. Any change to your CLI configuration will impact the SDK execution.

To define active credentials, use az login. Default subscription ID is either the only one you have, or you can define it using az account

from azure.common.client_factory import get_client_from_cli_profile
from azure.mgmt.compute import ComputeManagementClient

client = get_client_from_cli_profile(ComputeManagementClient)

Authenticate with token credentials (legacy)

In previous version of the SDK, ADAL was not yet available and we provided a UserPassCredentials class. This is considered deprecated and should not be used anymore.

This sample shows user/password scenario. This does not support 2FA.

    from azure.common.credentials import UserPassCredentials

    credentials = UserPassCredentials(
        'user@domain.com',
        'my_smart_password',
    )