Share via

managed_identity Module

  • Reference

Classes

ArcPlatformNotSupportedError
ManagedIdentity

Feed an instance of this class to <xref:msal.ManagedIdentityClient> to acquire token for the specified managed identity.
ManagedIdentityClient

This API encapsulates multiple managed identity back-ends: VM, App Service, Azure Automation (Runbooks), Azure Function, Service Fabric, and Azure Arc.

It also provides token cache support.

Note

Cloud Shell support is NOT implemented in this class.

Since MSAL Python 1.18 in May 2022, it has been implemented in

<xref:PublicClientApplication.acquire_token_interactive> via calling pattern

PublicClientApplication(...).acquire_token_interactive(scopes=[...], prompt="none").

That is appropriate, because Cloud Shell yields a token with

delegated permissions for the end user who has signed in to the Azure Portal

(like what a PublicClientApplication does),

not a token with application permissions for an app.

Create a managed identity client.

Recipe 1: Hard code a managed identity for your app:


   import msal, requests
   client = msal.ManagedIdentityClient(
       msal.UserAssignedManagedIdentity(client_id="foo"),
       http_client=requests.Session(),
       )
   token = client.acquire_token_for_client("resource")

Recipe 2: Write once, run everywhere. If you use different managed identity on different deployment, you may use an environment variable (such as MY_MANAGED_IDENTITY_CONFIG) to store a json blob like {"ManagedIdentityIdType": "ClientId", "Id": "foo"} or {"ManagedIdentityIdType": "SystemAssignedManagedIdentity", "Id": null}). The following app can load managed identity configuration dynamically:


   import json, os, msal, requests
   config = os.getenv("MY_MANAGED_IDENTITY_CONFIG")
   assert config, "An ENV VAR with value should exist"
   client = msal.ManagedIdentityClient(
       json.loads(config),
       http_client=requests.Session(),
       )
   token = client.acquire_token_for_client("resource")
ManagedIdentityError
SystemAssignedManagedIdentity

Represent a system-assigned managed identity.

It is equivalent to a Python dict of:


   {"ManagedIdentityIdType": "SystemAssigned", "Id": None}

or a JSON blob of:


   {"ManagedIdentityIdType": "SystemAssigned", "Id": null}
UserAssignedManagedIdentity

Represent a user-assigned managed identity.

Depends on the id you provided, the outcome is equivalent to one of the below:


   {"ManagedIdentityIdType": "ClientId", "Id": "foo"}
   {"ManagedIdentityIdType": "ResourceId", "Id": "foo"}
   {"ManagedIdentityIdType": "ObjectId", "Id": "foo"}

Functions

get_managed_identity_source

Detect the current environment and return the likely identity source.

When this function returns CLOUD_SHELL, you should use <xref:msal.PublicClientApplication.acquire_token_interactive> with prompt="none" to obtain a token.

get_managed_identity_source()