Search code examples
pythonazureazure-authentication

Alternative to AADCredentials in Python azure.identity

I have previously used the Azure Python SDK module AADCredentials to authenticate a client such as SubscriptionClient from azure-mgmt-resource. As azure-identity is being rolled out, I find that I cannot use AADCredentials with azure-identity clients such as SecretClient to access a KeyVault. In a nutshell, I am trying to figure out a way to use an externally generated auth token for a service principal to create a credential that SecretClient can use without re-writing AADCredentials to add a get_token method e.g.

from azure.keyvault.secrets import SecretClient
from msrestazure.azure_active_directory import AADTokenCredentials

token={'tokenType':'Bearer','accessToken':'BLAH'}
client_id='123'
cred=AADTokenCredentials(cred,client_id=client_id)
secret_client=SecretClient(vault_url=vault_url, credential=creds)

#Errors with 'AADTokenCredentials has no attribute 'get_token'
retrieved_secret=secret_client.get_secret('secretname')

I'm trying to do this so that Python does not get access to the service principal certificate and therefore cannot copy it elsewhere along with the password.

Any thoughts would be appreciated

Solution

  • azure-identity doesn't include an equivalent credential but there is a sample demonstrating how to write a custom credential that does the same thing (from the custom credentials sample):

    from azure.core.credentials import AccessToken

class StaticTokenCredential(object):
    """Authenticates with a previously acquired access token

    Note that an access token is valid only for certain resources and eventually expires.
    This credential is therefore quite limited. An application using it must ensure
    the token is valid and contains all claims required by any service client given an
    instance of this credential.
    """
    def __init__(self, access_token):
        # type: (Union[str, AccessToken]) -> None
        if isinstance(access_token, AccessToken):
            self._token = access_token
        else:
            # Setting expires_on in the past causes Azure SDK clients to call
            # get_token every time they need a token. You could adapt this class
            # to use the token's actual expires_on value, if you know it.
            self._token = AccessToken(token=access_token, expires_on=0)

    def get_token(self, *scopes, **kwargs):
        # type: (*str, **Any) -> AccessToken
        return self._token