-
Notifications
You must be signed in to change notification settings - Fork 844
Set up Your Environment for Authentication
- Configure
DefaultAzureCredential
- Creating a Service Principal with the Azure CLI
- Enable applications for device code flow
- Enable applications for interactive browser oauth 2 flow
- Enable applications for oauth 2 auth code flow
- Sign in Azure CLI for AzureCLICredential
- Enable managed identity for Azure resources
DefaultAzureCredential
supports configuration through the DefaultAzureCredentialOptions
and/or environment variables.
- Setting environment variables
AZURE_TENANT_ID
, andAZURE_CLIENT_ID
are necessary forDefaultAzureCredential
to begin checking the environment configuration and look for one of the following additional environment variables in order to authenticate:- Setting environment variable
AZURE_CLIENT_SECRET
configures theDefaultAzureCredential
to choose ClientSecretCredential. - Setting environment variable
AZURE_CLIENT_CERTIFICATE_PATH
configures theDefaultAzureCredential
to choose ClientCertificateCredential ifAZURE_CLIENT_SECRET
is not set. - Setting environment variable
AZURE_USERNAME
configures theDefaultAzureCredential
to choose UsernamePasswordCredential ifAZURE_CLIENT_SECRET
andAZURE_CLIENT_CERTIFICATE_PATH
are not set.
- Setting environment variable
Use the Azure CLI snippet below to create/get client secret credentials.
-
Create a service principal and configure its access to Azure resources:
az ad sp create-for-rbac -n <your-application-name> --skip-assignment
Output:
{ "appId": "generated-app-ID", "displayName": "dummy-app-name", "name": "http://dummy-app-name", "password": "random-password", "tenant": "tenant-ID" }
-
Run
az ad sp create-for-rbac -n <your-application-name> --skip-assignment --cert <cert-name> --create-cert
to create a service principal along with a certificate. -
Use the returned credentials above to set AZURE_CLIENT_ID(appId), AZURE_CLIENT_SECRET(password) and AZURE_TENANT_ID(tenant) environment variables.
In order to authenticate a user through device code flow, you need to go to Azure Active Directory on Azure Portal and find you app registration and enable the following 2 configurations:
This will let the application authenticate, but the application still doesn't have permission to log you into Active Directory, or access resources on your behalf. Open API Permissions, and enable Microsoft Graph, and the resources you want to access, e.g., Azure Service Management, Key Vault, etc:
Note that you also need to be the admin of your tenant to grant consent to your application when you login for the first time. Also note after 2018 your Active Directory may require your application to be multi-tenant. Select "Accounts in any organizational directory" under Authentication panel (where you enabled Device Code) to make your application a multi-tenant app.
You need to register an application in Azure Active Directory with permissions to login on behalf of a user to use InteractiveBrowserCredential. Follow all the steps above for device code flow to register your application to support logging you into Active Directory and access certain resources. Note the same limitations apply that an admin of your tenant must grant consent to your application before any user account can login.
You may notice in InteractiveBrowserCredentialOptions
, a port number can be specified, and you need to add the redirect URL on this page too:
In this case, the port number is 8765.
You need the same application registered as in Enable applications for interactive browser oauth 2 flow, except that the redirect URL must be an API endpoint on your web application where the auth code must be handled as a query parameter.
Sign in Azure CLI with command
az login
as a user, or
az login --service-principal --username <client-id> --password <client-secret> --tenant <tenant-id>
as a service principal.
If the account / service principal has access to multiple tenants, make sure the desired tenant or subscription is in the state "Enabled" in the output from command:
az account list
Before you use AzureCLICredential in the code, run
az account get-access-token
to verify the account has been successfully configured.
You may have to repeat this process after a certain period (usually a few weeks to a few months based on the refresh token validity configured in your organization). AzureCLICredential will prompt you to sign in again.
A system assigned managed identity is enabled by default in Azure Cloud Shell.
Go to Azure Portal and navigate to your resource. You should see an "Identity" tab:
You will be able to configure either system assigned or user assigned identities. For user assigned identities, the client ID of the managed identity must be used to create the ManagedIdentityCredential
or DefaultAzureCredential
.
Only user assigned identities are currently supported in AKS with the AAD Pod Identity plugin. Please follow the instructions in the repo as it may change between versions.