azure-identity-ts
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAzure Identity SDK for TypeScript
适用于TypeScript的Azure Identity SDK
Authenticate to Azure services with various credential types.
使用多种凭据类型对Azure服务进行身份验证。
Installation
安装
bash
npm install @azure/identitybash
npm install @azure/identityEnvironment Variables
环境变量
Service Principal (Secret)
服务主体(密钥)
bash
AZURE_TENANT_ID=<tenant-id>
AZURE_CLIENT_ID=<client-id>
AZURE_CLIENT_SECRET=<client-secret>bash
AZURE_TENANT_ID=<tenant-id>
AZURE_CLIENT_ID=<client-id>
AZURE_CLIENT_SECRET=<client-secret>Service Principal (Certificate)
服务主体(证书)
bash
AZURE_TENANT_ID=<tenant-id>
AZURE_CLIENT_ID=<client-id>
AZURE_CLIENT_CERTIFICATE_PATH=/path/to/cert.pem
AZURE_CLIENT_CERTIFICATE_PASSWORD=<optional-password>bash
AZURE_TENANT_ID=<tenant-id>
AZURE_CLIENT_ID=<client-id>
AZURE_CLIENT_CERTIFICATE_PATH=/path/to/cert.pem
AZURE_CLIENT_CERTIFICATE_PASSWORD=<optional-password>Workload Identity (Kubernetes)
工作负载标识(Kubernetes)
bash
AZURE_TENANT_ID=<tenant-id>
AZURE_CLIENT_ID=<client-id>
AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/tokens/azure-identitybash
AZURE_TENANT_ID=<tenant-id>
AZURE_CLIENT_ID=<client-id>
AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/tokens/azure-identityDefaultAzureCredential (Recommended)
DefaultAzureCredential(推荐使用)
typescript
import { DefaultAzureCredential } from "@azure/identity";
const credential = new DefaultAzureCredential();
// Use with any Azure SDK client
import { BlobServiceClient } from "@azure/storage-blob";
const blobClient = new BlobServiceClient(
"https://<account>.blob.core.windows.net",
credential
);Credential Chain Order:
- EnvironmentCredential
- WorkloadIdentityCredential
- ManagedIdentityCredential
- VisualStudioCodeCredential
- AzureCliCredential
- AzurePowerShellCredential
- AzureDeveloperCliCredential
typescript
import { DefaultAzureCredential } from "@azure/identity";
const credential = new DefaultAzureCredential();
// Use with any Azure SDK client
import { BlobServiceClient } from "@azure/storage-blob";
const blobClient = new BlobServiceClient(
"https://<account>.blob.core.windows.net",
credential
);凭据链顺序:
- EnvironmentCredential
- WorkloadIdentityCredential
- ManagedIdentityCredential
- VisualStudioCodeCredential
- AzureCliCredential
- AzurePowerShellCredential
- AzureDeveloperCliCredential
Managed Identity
托管标识
System-Assigned
系统分配的托管标识
typescript
import { ManagedIdentityCredential } from "@azure/identity";
const credential = new ManagedIdentityCredential();typescript
import { ManagedIdentityCredential } from "@azure/identity";
const credential = new ManagedIdentityCredential();User-Assigned (by Client ID)
用户分配的托管标识(按客户端ID)
typescript
const credential = new ManagedIdentityCredential({
clientId: "<user-assigned-client-id>"
});typescript
const credential = new ManagedIdentityCredential({
clientId: "<user-assigned-client-id>"
});User-Assigned (by Resource ID)
用户分配的托管标识(按资源ID)
typescript
const credential = new ManagedIdentityCredential({
resourceId: "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>"
});typescript
const credential = new ManagedIdentityCredential({
resourceId: "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>"
});Service Principal
服务主体
Client Secret
客户端密钥
typescript
import { ClientSecretCredential } from "@azure/identity";
const credential = new ClientSecretCredential(
"<tenant-id>",
"<client-id>",
"<client-secret>"
);typescript
import { ClientSecretCredential } from "@azure/identity";
const credential = new ClientSecretCredential(
"<tenant-id>",
"<client-id>",
"<client-secret>"
);Client Certificate
客户端证书
typescript
import { ClientCertificateCredential } from "@azure/identity";
const credential = new ClientCertificateCredential(
"<tenant-id>",
"<client-id>",
{ certificatePath: "/path/to/cert.pem" }
);
// With password
const credentialWithPwd = new ClientCertificateCredential(
"<tenant-id>",
"<client-id>",
{
certificatePath: "/path/to/cert.pem",
certificatePassword: "<password>"
}
);typescript
import { ClientCertificateCredential } from "@azure/identity";
const credential = new ClientCertificateCredential(
"<tenant-id>",
"<client-id>",
{ certificatePath: "/path/to/cert.pem" }
);
// With password
const credentialWithPwd = new ClientCertificateCredential(
"<tenant-id>",
"<client-id>",
{
certificatePath: "/path/to/cert.pem",
certificatePassword: "<password>"
}
);Interactive Authentication
交互式身份验证
Browser-Based Login
基于浏览器的登录
typescript
import { InteractiveBrowserCredential } from "@azure/identity";
const credential = new InteractiveBrowserCredential({
clientId: "<client-id>",
tenantId: "<tenant-id>",
loginHint: "user@example.com"
});typescript
import { InteractiveBrowserCredential } from "@azure/identity";
const credential = new InteractiveBrowserCredential({
clientId: "<client-id>",
tenantId: "<tenant-id>",
loginHint: "user@example.com"
});Device Code Flow
设备代码流
typescript
import { DeviceCodeCredential } from "@azure/identity";
const credential = new DeviceCodeCredential({
clientId: "<client-id>",
tenantId: "<tenant-id>",
userPromptCallback: (info) => {
console.log(info.message);
// "To sign in, use a web browser to open..."
}
});typescript
import { DeviceCodeCredential } from "@azure/identity";
const credential = new DeviceCodeCredential({
clientId: "<client-id>",
tenantId: "<tenant-id>",
userPromptCallback: (info) => {
console.log(info.message);
// "To sign in, use a web browser to open..."
}
});Custom Credential Chain
自定义凭据链
typescript
import {
ChainedTokenCredential,
ManagedIdentityCredential,
AzureCliCredential
} from "@azure/identity";
// Try managed identity first, fall back to CLI
const credential = new ChainedTokenCredential(
new ManagedIdentityCredential(),
new AzureCliCredential()
);typescript
import {
ChainedTokenCredential,
ManagedIdentityCredential,
AzureCliCredential
} from "@azure/identity";
// Try managed identity first, fall back to CLI
const credential = new ChainedTokenCredential(
new ManagedIdentityCredential(),
new AzureCliCredential()
);Developer Credentials
开发者凭据
Azure CLI
Azure CLI
typescript
import { AzureCliCredential } from "@azure/identity";
const credential = new AzureCliCredential();
// Uses: az logintypescript
import { AzureCliCredential } from "@azure/identity";
const credential = new AzureCliCredential();
// Uses: az loginAzure Developer CLI
Azure Developer CLI
typescript
import { AzureDeveloperCliCredential } from "@azure/identity";
const credential = new AzureDeveloperCliCredential();
// Uses: azd auth logintypescript
import { AzureDeveloperCliCredential } from "@azure/identity";
const credential = new AzureDeveloperCliCredential();
// Uses: azd auth loginAzure PowerShell
Azure PowerShell
typescript
import { AzurePowerShellCredential } from "@azure/identity";
const credential = new AzurePowerShellCredential();
// Uses: Connect-AzAccounttypescript
import { AzurePowerShellCredential } from "@azure/identity";
const credential = new AzurePowerShellCredential();
// Uses: Connect-AzAccountSovereign Clouds
主权云
typescript
import { ClientSecretCredential, AzureAuthorityHosts } from "@azure/identity";
// Azure Government
const credential = new ClientSecretCredential(
"<tenant>", "<client>", "<secret>",
{ authorityHost: AzureAuthorityHosts.AzureGovernment }
);
// Azure China
const credentialChina = new ClientSecretCredential(
"<tenant>", "<client>", "<secret>",
{ authorityHost: AzureAuthorityHosts.AzureChina }
);typescript
import { ClientSecretCredential, AzureAuthorityHosts } from "@azure/identity";
// Azure Government
const credential = new ClientSecretCredential(
"<tenant>", "<client>", "<secret>",
{ authorityHost: AzureAuthorityHosts.AzureGovernment }
);
// Azure China
const credentialChina = new ClientSecretCredential(
"<tenant>", "<client>", "<secret>",
{ authorityHost: AzureAuthorityHosts.AzureChina }
);Bearer Token Provider
Bearer令牌提供器
typescript
import { DefaultAzureCredential, getBearerTokenProvider } from "@azure/identity";
const credential = new DefaultAzureCredential();
// Create a function that returns tokens
const getAccessToken = getBearerTokenProvider(
credential,
"https://cognitiveservices.azure.com/.default"
);
// Use with APIs that need bearer tokens
const token = await getAccessToken();typescript
import { DefaultAzureCredential, getBearerTokenProvider } from "@azure/identity";
const credential = new DefaultAzureCredential();
// Create a function that returns tokens
const getAccessToken = getBearerTokenProvider(
credential,
"https://cognitiveservices.azure.com/.default"
);
// Use with APIs that need bearer tokens
const token = await getAccessToken();Key Types
核心类型
typescript
import type {
TokenCredential,
AccessToken,
GetTokenOptions
} from "@azure/core-auth";
import {
DefaultAzureCredential,
DefaultAzureCredentialOptions,
ManagedIdentityCredential,
ClientSecretCredential,
ClientCertificateCredential,
InteractiveBrowserCredential,
ChainedTokenCredential,
AzureCliCredential,
AzurePowerShellCredential,
AzureDeveloperCliCredential,
DeviceCodeCredential,
AzureAuthorityHosts
} from "@azure/identity";typescript
import type {
TokenCredential,
AccessToken,
GetTokenOptions
} from "@azure/core-auth";
import {
DefaultAzureCredential,
DefaultAzureCredentialOptions,
ManagedIdentityCredential,
ClientSecretCredential,
ClientCertificateCredential,
InteractiveBrowserCredential,
ChainedTokenCredential,
AzureCliCredential,
AzurePowerShellCredential,
AzureDeveloperCliCredential,
DeviceCodeCredential,
AzureAuthorityHosts
} from "@azure/identity";Custom Credential Implementation
自定义凭据实现
typescript
import type { TokenCredential, AccessToken, GetTokenOptions } from "@azure/core-auth";
class CustomCredential implements TokenCredential {
async getToken(
scopes: string | string[],
options?: GetTokenOptions
): Promise<AccessToken | null> {
// Custom token acquisition logic
return {
token: "<access-token>",
expiresOnTimestamp: Date.now() + 3600000
};
}
}typescript
import type { TokenCredential, AccessToken, GetTokenOptions } from "@azure/core-auth";
class CustomCredential implements TokenCredential {
async getToken(
scopes: string | string[],
options?: GetTokenOptions
): Promise<AccessToken | null> {
// Custom token acquisition logic
return {
token: "<access-token>",
expiresOnTimestamp: Date.now() + 3600000
};
}
}Debugging
调试
typescript
import { setLogLevel, AzureLogger } from "@azure/logger";
setLogLevel("verbose");
// Custom log handler
AzureLogger.log = (...args) => {
console.log("[Azure]", ...args);
};typescript
import { setLogLevel, AzureLogger } from "@azure/logger";
setLogLevel("verbose");
// Custom log handler
AzureLogger.log = (...args) => {
console.log("[Azure]", ...args);
};Best Practices
最佳实践
- Use DefaultAzureCredential - Works in development (CLI) and production (managed identity)
- Never hardcode credentials - Use environment variables or managed identity
- Prefer managed identity - No secrets to manage in production
- Scope credentials appropriately - Use user-assigned identity for multi-tenant scenarios
- Handle token refresh - Azure SDK handles this automatically
- Use ChainedTokenCredential - For custom fallback scenarios
- 使用DefaultAzureCredential - 在开发环境(CLI)和生产环境(托管标识)中均能正常工作
- 切勿硬编码凭据 - 使用环境变量或托管标识
- 优先使用托管标识 - 生产环境中无需管理密钥
- 合理限定凭据范围 - 多租户场景下使用用户分配的标识
- 处理令牌刷新 - Azure SDK会自动处理此操作
- 使用ChainedTokenCredential - 用于自定义回退场景