WorkloadIdentityCredential Class

Authenticates using Microsoft Entra Workload ID.

Workload identity authentication is a feature in Azure that allows applications running on virtual machines (VMs) to access other Azure resources without the need for a service principal or managed identity. With workload identity authentication, applications authenticate themselves using their own identity, rather than using a shared service principal or managed identity. Under the hood, workload identity authentication uses the concept of Service Account Credentials (SACs), which are automatically created by Azure and stored securely in the VM. By using workload identity authentication, you can avoid the need to manage and rotate service principals or managed identities for each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you don't need to worry about storing and securing sensitive credentials themselves.

The WorkloadIdentityCredential supports Azure workload identity authentication on Azure Kubernetes and acquires a token using the service account credentials available in the Azure Kubernetes environment. Refer to this workload identity overview for more information.

Inheritance
azure.identity._credentials.client_assertion.ClientAssertionCredential
WorkloadIdentityCredential
azure.identity._credentials.workload_identity.TokenFileMixin
WorkloadIdentityCredential

Constructor

WorkloadIdentityCredential(*, tenant_id: str | None = None, client_id: str | None = None, token_file_path: str | None = None, **kwargs: Any)

Keyword-Only Parameters

Name Description
tenant_id
str

ID of the application's Microsoft Entra tenant. Also called its "directory" ID.

client_id
str

The client ID of a Microsoft Entra app registration.

token_file_path
str

The path to a file containing a Kubernetes service account token that authenticates the identity.

Examples

Create a WorkloadIdentityCredential.


   from azure.identity import WorkloadIdentityCredential

   credential = WorkloadIdentityCredential(
       tenant_id="<tenant_id>",
       client_id="<client_id>",
       token_file_path="<token_file_path>",
   )

   # Parameters can be omitted if the following environment variables are set:
   #   - AZURE_TENANT_ID
   #   - AZURE_CLIENT_ID
   #   - AZURE_FEDERATED_TOKEN_FILE
   credential = WorkloadIdentityCredential()

Methods

close
get_token

Request an access token for scopes.

This method is called automatically by Azure SDK clients.

close

close() -> None

get_token

Request an access token for scopes.

This method is called automatically by Azure SDK clients.

get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, enable_cae: bool = False, **kwargs: Any) -> AccessToken

Parameters

Name Description
scopes
Required
str

desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc.

Keyword-Only Parameters

Name Description
claims
str

additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure.

tenant_id
str

optional tenant to include in the token request.

enable_cae

indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False.

Returns

Type Description

An access token with the desired scopes.

Exceptions

Type Description

the credential is unable to attempt authentication because it lacks required data, state, or platform support

authentication failed. The error's message attribute gives a reason.