I’ve been working in Microsoft Azure for about 6 years now and have done extensive scripting using a multitude of languages including Azure-CLI, PowerShell and Terraform. Having seen the many repos that Microsoft has open-sourced in GitHub with Python, I decided it was time to get back into Python development and start learning the Python SDK for Azure. This post aims to help anyone else wishing to learn more about the SDK, specifically how to get properly authenticated to your tenant in Azure.
Methods of Authentication
There’s a few!
** Note , I’m assuming this is being run in WSL2 or a *nix based system. Windows based config is beyond the scope of this article:
To get started:
Now that you’ve got your environment variables set up to Authenticate with an SPN to Azure, let’s go through the auth methods:
Regarding DefaultAzureCredential (e.g. when run in a deployment pipeline):
When code is deployed to and running on Azure,
DefaultAzureCredentialautomatically uses the system-assigned managed identity (MSI) that you can enable for the app within whatever service is hosting it. Permissions for specific resources, such as Azure Storage or Azure Key Vault, are assigned to that identity using the Azure portal or the Azure CLI. In these cases, this Azure-managed identity maximizes security because you don't ever deal with an explicit service principal in your code.
Create a JSON file and omit from source (e.g. add to
.gitignore) as so:
In your environment variables e.g.
.zshrc or .bash_profile tell your script where to find the JSON file created above.
Now that we have the env-vars and JSON file created, let’s try again:
We can use the same auth mechanism using a
JSON Dict which is similar:
There are two libraries to use when using the token authentication method to azure using the python SDK,
azure.common Note that:
azure.identity = newer libraries based on azure.core
azure.common = older libraries not based on azure.core
Since these methods are very similar (and to save some space…) I will show these in a single script.
Those are the primary methods to authenticate to Azure using the Python SDK. As always, ensure that none of your secrets end up in source code (especially that JSON file or
dict). Always ensure your env-vars are secure and if you’re using Azure Devops Pipelines, use env-vars and secrets from key vault as much as possible to ensure your secrets don’t get exposed! Happy Coding!