I’ve been working on a script to login to Azure to interract with some resources that have been deployed by terraform. I want this script to be able to run locally on my machine and as well as part of a yaml pipeline. Initially I thought this was going to be quite tricky, in that I’d need to determine when to run the ClientSecretCredential or when to run one of the other authentication classes, like the AzureCliCredential or even the UsernamePasswordCredential. But while searching across these I came across DefaultAzureCredential, which claims to be “capable of handling most Azure SDK authentication scenarios.” I was really quite excited on reading this as it is exactly what I want; to be able to handle different methods of authentication without me having to do the hard work of figuring this out.

The authentication identities are processed in a certain order, and when one provides a token it stops making any further requests. The identities are also available publically, so you can use any one of these directly if you want, however I’m liking the idea of using this helper Class. The order and pertaining Classes are:

  1. A service principal configured by environment variables. See EnvironmentCredential for more details.

  2. An Azure managed identity. See ManagedIdentityCredential for more details.

  3. windows-specific: a user who has signed in with a Microsoft application, such as Visual Studio. If multiple identities are in the cache, then the value of the environment variable AZURE_USERNAME is used to select which identity to use. See SharedTokenCacheCredential for more details.

  4. The user currently signed in to Visual Studio Code. See VisualStudioCodeCredential for more details.

  5. The identity currently logged in to the Azure CLI. See AzureCliCredential for more details.

It’s worth noting that the EnvironmentCredential Class can authenticate as either a service principal or as a user; in the Azure-DotNet docs in goes into more detail. However in the interests of full disclosure I’ll add that I’ve struggled to get the login working with UserName and Password environment variables; rather confusingly you need an Azure Client Id set and any of the ones I’ve tried to use have not worked.

But anyway, nonetheless my preference is for either the azure cli or Visual Studio methods. The cli method is probably well known, but the Visual Studio Code authentication uses the Azure Account plugin. Install it and hit F1 to run the command Azure: Sign In or Azure: Sign In with Device Code and then Azure: Select Subscriptions if you have more than one.

The script below demonstrates how to use the credentials for both resource management and storage management.

from azure.identity._credentials.default import DefaultAzureCredential
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.storage import StorageManagementClient

credentials = DefaultAzureCredential()

resource_client = ResourceManagementClient(
    credentials, "111111111-2222-3333-444-555555555555"#YOUR SUBSCRIPTION_ID

storage_client = StorageManagementClient(
    credentials, "111111111-2222-3333-444-555555555555"#YOUR SUBSCRIPTION_ID

storage_keys = storage_client.storage_accounts.list_keys(


print(f"Successful credential: {credentials._successful_credential.__class__.__name__}")

I really like the straightforwardness of being able to handle multiple authentication scenarios in one Class in my Python code. Makes it much easier to test and run in several different ways.