azure-identity-py
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAzure Identity SDK for Python
Azure Identity SDK for Python
Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).
这是供Azure SDK客户端使用Microsoft Entra ID(原Azure AD)进行身份验证的库。
Installation
安装
bash
pip install azure-identitybash
pip install azure-identityEnvironment Variables
环境变量
bash
undefinedbash
undefinedService Principal (for production/CI)
服务主体(用于生产环境/持续集成)
AZURE_TENANT_ID=<your-tenant-id>
AZURE_CLIENT_ID=<your-client-id>
AZURE_CLIENT_SECRET=<your-client-secret>
AZURE_TENANT_ID=<your-tenant-id>
AZURE_CLIENT_ID=<your-client-id>
AZURE_CLIENT_SECRET=<your-client-secret>
User-assigned Managed Identity (optional)
用户分配的托管标识(可选)
AZURE_CLIENT_ID=<managed-identity-client-id>
undefinedAZURE_CLIENT_ID=<managed-identity-client-id>
undefinedDefaultAzureCredential
DefaultAzureCredential
The recommended credential for most scenarios. Tries multiple authentication methods in order:
python
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient这是大多数场景下推荐使用的凭据类型。它会按顺序尝试多种身份验证方法:
python
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClientWorks in local dev AND production without code changes
在本地开发和生产环境中无需修改代码即可运行
credential = DefaultAzureCredential()
client = BlobServiceClient(
account_url="https://<account>.blob.core.windows.net",
credential=credential
)
undefinedcredential = DefaultAzureCredential()
client = BlobServiceClient(
account_url="https://<account>.blob.core.windows.net",
credential=credential
)
undefinedCredential Chain Order
凭据链顺序
| Order | Credential | Environment |
|---|---|---|
| 1 | EnvironmentCredential | CI/CD, containers |
| 2 | WorkloadIdentityCredential | Kubernetes |
| 3 | ManagedIdentityCredential | Azure VMs, App Service, Functions |
| 4 | SharedTokenCacheCredential | Windows only |
| 5 | VisualStudioCodeCredential | VS Code with Azure extension |
| 6 | AzureCliCredential | |
| 7 | AzurePowerShellCredential | |
| 8 | AzureDeveloperCliCredential | |
| 顺序 | 凭据类型 | 适用环境 |
|---|---|---|
| 1 | EnvironmentCredential | 持续集成/持续部署、容器 |
| 2 | WorkloadIdentityCredential | Kubernetes |
| 3 | ManagedIdentityCredential | Azure虚拟机、应用服务、函数 |
| 4 | SharedTokenCacheCredential | 仅Windows系统 |
| 5 | VisualStudioCodeCredential | 安装了Azure扩展的VS Code |
| 6 | AzureCliCredential | |
| 7 | AzurePowerShellCredential | |
| 8 | AzureDeveloperCliCredential | |
Customizing DefaultAzureCredential
自定义DefaultAzureCredential
python
undefinedpython
undefinedExclude credentials you don't need
排除不需要的凭据类型
credential = DefaultAzureCredential(
exclude_environment_credential=True,
exclude_shared_token_cache_credential=True,
managed_identity_client_id="<user-assigned-mi-client-id>" # For user-assigned MI
)
credential = DefaultAzureCredential(
exclude_environment_credential=True,
exclude_shared_token_cache_credential=True,
managed_identity_client_id="<user-assigned-mi-client-id>" # 用于用户分配的托管标识
)
Enable interactive browser (disabled by default)
启用交互式浏览器(默认禁用)
credential = DefaultAzureCredential(
exclude_interactive_browser_credential=False
)
undefinedcredential = DefaultAzureCredential(
exclude_interactive_browser_credential=False
)
undefinedSpecific Credential Types
特定凭据类型
ManagedIdentityCredential
ManagedIdentityCredential
For Azure-hosted resources (VMs, App Service, Functions, AKS):
python
from azure.identity import ManagedIdentityCredential适用于Azure托管的资源(虚拟机、应用服务、函数、AKS):
python
from azure.identity import ManagedIdentityCredentialSystem-assigned managed identity
系统分配的托管标识
credential = ManagedIdentityCredential()
credential = ManagedIdentityCredential()
User-assigned managed identity
用户分配的托管标识
credential = ManagedIdentityCredential(
client_id="<user-assigned-mi-client-id>"
)
undefinedcredential = ManagedIdentityCredential(
client_id="<user-assigned-mi-client-id>"
)
undefinedClientSecretCredential
ClientSecretCredential
For service principal with secret:
python
from azure.identity import ClientSecretCredential
credential = ClientSecretCredential(
tenant_id=os.environ["AZURE_TENANT_ID"],
client_id=os.environ["AZURE_CLIENT_ID"],
client_secret=os.environ["AZURE_CLIENT_SECRET"]
)适用于带密钥的服务主体:
python
from azure.identity import ClientSecretCredential
credential = ClientSecretCredential(
tenant_id=os.environ["AZURE_TENANT_ID"],
client_id=os.environ["AZURE_CLIENT_ID"],
client_secret=os.environ["AZURE_CLIENT_SECRET"]
)AzureCliCredential
AzureCliCredential
Uses the account from :
az loginpython
from azure.identity import AzureCliCredential
credential = AzureCliCredential()使用登录的账户:
az loginpython
from azure.identity import AzureCliCredential
credential = AzureCliCredential()ChainedTokenCredential
ChainedTokenCredential
Custom credential chain:
python
from azure.identity import (
ChainedTokenCredential,
ManagedIdentityCredential,
AzureCliCredential
)自定义凭据链:
python
from azure.identity import (
ChainedTokenCredential,
ManagedIdentityCredential,
AzureCliCredential
)Try managed identity first, fall back to CLI
先尝试托管标识,失败则回退到CLI
credential = ChainedTokenCredential(
ManagedIdentityCredential(client_id="<user-assigned-mi-client-id>"),
AzureCliCredential()
)
undefinedcredential = ChainedTokenCredential(
ManagedIdentityCredential(client_id="<user-assigned-mi-client-id>"),
AzureCliCredential()
)
undefinedCredential Types Table
凭据类型对照表
| Credential | Use Case | Auth Method |
|---|---|---|
| Most scenarios | Auto-detect |
| Azure-hosted apps | Managed Identity |
| Service principal | Client secret |
| Service principal | Certificate |
| Local development | Azure CLI |
| Local development | Azure Developer CLI |
| User sign-in | Browser OAuth |
| Headless/SSH | Device code flow |
| 凭据类型 | 适用场景 | 身份验证方式 |
|---|---|---|
| 大多数场景 | 自动检测 |
| Azure托管应用 | 托管标识 |
| 服务主体 | 客户端密钥 |
| 服务主体 | 证书 |
| 本地开发 | Azure CLI |
| 本地开发 | Azure Developer CLI |
| 用户登录 | 浏览器OAuth |
| 无界面/SSH环境 | 设备代码流 |
Getting Tokens Directly
直接获取令牌
python
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()python
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()Get token for a specific scope
获取特定作用域的令牌
token = credential.get_token("https://management.azure.com/.default")
print(f"Token expires: {token.expires_on}")
token = credential.get_token("https://management.azure.com/.default")
print(f"令牌过期时间: {token.expires_on}")
For Azure Database for PostgreSQL
适用于Azure Database for PostgreSQL
token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")
undefinedtoken = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")
undefinedAsync Client
异步客户端
python
from azure.identity.aio import DefaultAzureCredential
from azure.storage.blob.aio import BlobServiceClient
async def main():
credential = DefaultAzureCredential()
async with BlobServiceClient(
account_url="https://<account>.blob.core.windows.net",
credential=credential
) as client:
# ... async operations
pass
await credential.close()python
from azure.identity.aio import DefaultAzureCredential
from azure.storage.blob.aio import BlobServiceClient
async def main():
credential = DefaultAzureCredential()
async with BlobServiceClient(
account_url="https://<account>.blob.core.windows.net",
credential=credential
) as client:
# ... 异步操作
pass
await credential.close()Best Practices
最佳实践
- Use DefaultAzureCredential for code that runs locally and in Azure
- Never hardcode credentials — use environment variables or managed identity
- Prefer managed identity in production Azure deployments
- Use ChainedTokenCredential when you need a custom credential order
- Close async credentials explicitly or use context managers
- Set AZURE_CLIENT_ID for user-assigned managed identities
- Exclude unused credentials to speed up authentication
- 使用DefaultAzureCredential 用于在本地和Azure中运行的代码
- 切勿硬编码凭据 — 使用环境变量或托管标识
- 生产环境Azure部署优先使用托管标识
- 当需要自定义凭据顺序时使用ChainedTokenCredential
- 显式关闭异步凭据或使用上下文管理器
- 为用户分配的托管标识设置AZURE_CLIENT_ID
- 排除未使用的凭据以加速身份验证