WorkloadIdentityCredential Class
Authenticates using Microsoft Entra Workload ID.
Workload identity authentication is a feature in Azure that allows applications running on virtual machines (VMs) to access other Azure resources without the need for a service principal or managed identity. With workload identity authentication, applications authenticate themselves using their own identity, rather than using a shared service principal or managed identity. Under the hood, workload identity authentication uses the concept of Service Account Credentials (SACs), which are automatically created by Azure and stored securely in the VM. By using workload identity authentication, you can avoid the need to manage and rotate service principals or managed identities for each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you don't need to worry about storing and securing sensitive credentials themselves.
The WorkloadIdentityCredential supports Azure workload identity authentication on Azure Kubernetes and acquires a token using the service account credentials available in the Azure Kubernetes environment. Refer to this workload identity overview for more information.
- Inheritance
-
azure.identity._credentials.client_assertion.ClientAssertionCredentialWorkloadIdentityCredentialazure.identity._credentials.workload_identity.TokenFileMixinWorkloadIdentityCredential
Constructor
WorkloadIdentityCredential(*, tenant_id: str | None = None, client_id: str | None = None, token_file_path: str | None = None, **kwargs: Any)
Keyword-Only Parameters
Name | Description |
---|---|
tenant_id
|
ID of the application's Microsoft Entra tenant. Also called its "directory" ID. |
client_id
|
The client ID of a Microsoft Entra app registration. |
token_file_path
|
The path to a file containing a Kubernetes service account token that authenticates the identity. |
Examples
Create a WorkloadIdentityCredential.
from azure.identity import WorkloadIdentityCredential
credential = WorkloadIdentityCredential(
tenant_id="<tenant_id>",
client_id="<client_id>",
token_file_path="<token_file_path>",
)
# Parameters can be omitted if the following environment variables are set:
# - AZURE_TENANT_ID
# - AZURE_CLIENT_ID
# - AZURE_FEDERATED_TOKEN_FILE
credential = WorkloadIdentityCredential()
Methods
close | |
get_token |
Request an access token for scopes. This method is called automatically by Azure SDK clients. |
close
close() -> None
get_token
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, enable_cae: bool = False, **kwargs: Any) -> AccessToken
Parameters
Name | Description |
---|---|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
Name | Description |
---|---|
claims
|
additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure. |
tenant_id
|
optional tenant to include in the token request. |
enable_cae
|
indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False. |
Returns
Type | Description |
---|---|
An access token with the desired scopes. |
Exceptions
Type | Description |
---|---|
the credential is unable to attempt authentication because it lacks required data, state, or platform support |
|
authentication failed. The error's |
Azure SDK for Python