Azure Identity Py
Azure Identity SDK for Python authentication. Use for DefaultAzureCredential, managed identity, service principals, and token caching. Triggers: "azure-identity", "DefaultAzureCredential", "authentication", "managed identity", "service principal", "credential".
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 1 · 1.7k · 0 current installs · 0 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and instructions match: it's a usage guide for the Azure Identity SDK for Python. The examples and credential types shown are appropriate for that purpose. However, the metadata declares no required environment variables even though the README shows service-principal and managed-identity environment variables (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET).
Instruction Scope
SKILL.md only shows usage examples for DefaultAzureCredential and other Azure credentials and how to call get_token; it does not instruct the agent to read unrelated system files, post tokens to external endpoints, or perform actions outside of authentication usage. Examples reference environment variables (and os.environ) which is expected for this library.
Install Mechanism
This is an instruction-only skill with no install spec or code files. The document tells users to run `pip install azure-identity`, which is normal; nothing in the skill instructs downloading arbitrary or untrusted code.
Credentials
The SKILL.md shows and uses sensitive environment variables (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and user-assigned managed identity client IDs) but the skill metadata lists no required env vars or primary credential. That mismatch could lead an unsuspecting user or agent to provide secrets without realizing the skill expects them. The credential usage itself is appropriate for the described purpose, but the metadata omission reduces transparency about sensitive data needs.
Persistence & Privilege
The skill does not request persistent presence (always:false) and contains no instructions to modify other skills or system-wide configurations. Autonomous invocation is allowed by default on the platform but is not combined here with other elevated privileges.
What to consider before installing
This SKILL.md appears to be a straightforward guide for the official azure-identity Python SDK, but the skill metadata does not declare the sensitive environment variables the document uses. Before installing or enabling this skill: 1) Confirm the skill's source/author (no homepage or repository is provided). 2) Only provide AZURE_* credentials when you trust the skill and the runtime environment — avoid pasting secrets into chat. 3) Prefer managed identities in production (avoid long-lived client secrets). 4) Ask the skill author to declare required env vars in metadata so you can make an informed decision. 5) If an agent will run this skill autonomously, be extra cautious because obtained tokens could grant access to Azure resources; restrict the agent's Azure permissions (least privilege) and monitor token use.Like a lobster shell, security has layers — review code before you run it.
Current versionv0.1.0
Download ziplatest
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Azure Identity SDK for Python
Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).
Installation
pip install azure-identity
Environment Variables
# Service Principal (for production/CI)
AZURE_TENANT_ID=<your-tenant-id>
AZURE_CLIENT_ID=<your-client-id>
AZURE_CLIENT_SECRET=<your-client-secret>
# User-assigned Managed Identity (optional)
AZURE_CLIENT_ID=<managed-identity-client-id>
DefaultAzureCredential
The recommended credential for most scenarios. Tries multiple authentication methods in order:
from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient
# Works in local dev AND production without code changes
credential = DefaultAzureCredential()
client = BlobServiceClient(
account_url="https://<account>.blob.core.windows.net",
credential=credential
)
Credential Chain Order
| Order | Credential | Environment |
|---|---|---|
| 1 | EnvironmentCredential | CI/CD, containers |
| 2 | WorkloadIdentityCredential | Kubernetes |
| 3 | ManagedIdentityCredential | Azure VMs, App Service, Functions |
| 4 | SharedTokenCacheCredential | Windows only |
| 5 | VisualStudioCodeCredential | VS Code with Azure extension |
| 6 | AzureCliCredential | az login |
| 7 | AzurePowerShellCredential | Connect-AzAccount |
| 8 | AzureDeveloperCliCredential | azd auth login |
Customizing DefaultAzureCredential
# Exclude credentials you don't need
credential = DefaultAzureCredential(
exclude_environment_credential=True,
exclude_shared_token_cache_credential=True,
managed_identity_client_id="<user-assigned-mi-client-id>" # For user-assigned MI
)
# Enable interactive browser (disabled by default)
credential = DefaultAzureCredential(
exclude_interactive_browser_credential=False
)
Specific Credential Types
ManagedIdentityCredential
For Azure-hosted resources (VMs, App Service, Functions, AKS):
from azure.identity import ManagedIdentityCredential
# System-assigned managed identity
credential = ManagedIdentityCredential()
# User-assigned managed identity
credential = ManagedIdentityCredential(
client_id="<user-assigned-mi-client-id>"
)
ClientSecretCredential
For service principal with secret:
from azure.identity import ClientSecretCredential
credential = ClientSecretCredential(
tenant_id=os.environ["AZURE_TENANT_ID"],
client_id=os.environ["AZURE_CLIENT_ID"],
client_secret=os.environ["AZURE_CLIENT_SECRET"]
)
AzureCliCredential
Uses the account from az login:
from azure.identity import AzureCliCredential
credential = AzureCliCredential()
ChainedTokenCredential
Custom credential chain:
from azure.identity import (
ChainedTokenCredential,
ManagedIdentityCredential,
AzureCliCredential
)
# Try managed identity first, fall back to CLI
credential = ChainedTokenCredential(
ManagedIdentityCredential(client_id="<user-assigned-mi-client-id>"),
AzureCliCredential()
)
Credential Types Table
| Credential | Use Case | Auth Method |
|---|---|---|
DefaultAzureCredential | Most scenarios | Auto-detect |
ManagedIdentityCredential | Azure-hosted apps | Managed Identity |
ClientSecretCredential | Service principal | Client secret |
ClientCertificateCredential | Service principal | Certificate |
AzureCliCredential | Local development | Azure CLI |
AzureDeveloperCliCredential | Local development | Azure Developer CLI |
InteractiveBrowserCredential | User sign-in | Browser OAuth |
DeviceCodeCredential | Headless/SSH | Device code flow |
Getting Tokens Directly
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
# Get token for a specific scope
token = credential.get_token("https://management.azure.com/.default")
print(f"Token expires: {token.expires_on}")
# For Azure Database for PostgreSQL
token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")
Async Client
from azure.identity.aio import DefaultAzureCredential
from azure.storage.blob.aio import BlobServiceClient
async def main():
credential = DefaultAzureCredential()
async with BlobServiceClient(
account_url="https://<account>.blob.core.windows.net",
credential=credential
) as client:
# ... async operations
pass
await credential.close()
Best Practices
- Use DefaultAzureCredential for code that runs locally and in Azure
- Never hardcode credentials — use environment variables or managed identity
- Prefer managed identity in production Azure deployments
- Use ChainedTokenCredential when you need a custom credential order
- Close async credentials explicitly or use context managers
- Set AZURE_CLIENT_ID for user-assigned managed identities
- Exclude unused credentials to speed up authentication
Files
1 totalSelect a file
Select a file to preview.
Comments
Loading comments…