--- name: azure-identity-ts description: Authenticate to Azure services using Azure Identity SDK for JavaScript (@azure/identity). Use when configuring authentication with DefaultAzureCredential, managed identity, service principals, or interactive browser login. package: @azure/identity --- # Azure Identity SDK for TypeScript Authenticate to Azure services with various credential types. ## Installation ```bash npm install @azure/identity ``` ## Environment Variables ### Service Principal (Secret) ```bash AZURE_TENANT_ID= AZURE_CLIENT_ID= AZURE_CLIENT_SECRET= ``` ### Service Principal (Certificate) ```bash AZURE_TENANT_ID= AZURE_CLIENT_ID= AZURE_CLIENT_CERTIFICATE_PATH=/path/to/cert.pem AZURE_CLIENT_CERTIFICATE_PASSWORD= ``` ### Workload Identity (Kubernetes) ```bash AZURE_TENANT_ID= AZURE_CLIENT_ID= AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/tokens/azure-identity ``` ## DefaultAzureCredential (Recommended) ```typescript import { DefaultAzureCredential } from "@azure/identity"; const credential = new DefaultAzureCredential(); // Use with any Azure SDK client import { BlobServiceClient } from "@azure/storage-blob"; const blobClient = new BlobServiceClient( "https://.blob.core.windows.net", credential ); ``` **Credential Chain Order:** 1. EnvironmentCredential 2. WorkloadIdentityCredential 3. ManagedIdentityCredential 4. VisualStudioCodeCredential 5. AzureCliCredential 6. AzurePowerShellCredential 7. AzureDeveloperCliCredential ## Managed Identity ### System-Assigned ```typescript import { ManagedIdentityCredential } from "@azure/identity"; const credential = new ManagedIdentityCredential(); ``` ### User-Assigned (by Client ID) ```typescript const credential = new ManagedIdentityCredential({ clientId: "" }); ``` ### User-Assigned (by Resource ID) ```typescript const credential = new ManagedIdentityCredential({ resourceId: "/subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/" }); ``` ## Service Principal ### Client Secret ```typescript import { ClientSecretCredential } from "@azure/identity"; const credential = new ClientSecretCredential( "", "", "" ); ``` ### Client Certificate ```typescript import { ClientCertificateCredential } from "@azure/identity"; const credential = new ClientCertificateCredential( "", "", { certificatePath: "/path/to/cert.pem" } ); // With password const credentialWithPwd = new ClientCertificateCredential( "", "", { certificatePath: "/path/to/cert.pem", certificatePassword: "" } ); ``` ## Interactive Authentication ### Browser-Based Login ```typescript import { InteractiveBrowserCredential } from "@azure/identity"; const credential = new InteractiveBrowserCredential({ clientId: "", tenantId: "", loginHint: "user@example.com" }); ``` ### Device Code Flow ```typescript import { DeviceCodeCredential } from "@azure/identity"; const credential = new DeviceCodeCredential({ clientId: "", tenantId: "", userPromptCallback: (info) => { console.log(info.message); // "To sign in, use a web browser to open..." } }); ``` ## Custom Credential Chain ```typescript import { ChainedTokenCredential, ManagedIdentityCredential, AzureCliCredential } from "@azure/identity"; // Try managed identity first, fall back to CLI const credential = new ChainedTokenCredential( new ManagedIdentityCredential(), new AzureCliCredential() ); ``` ## Developer Credentials ### Azure CLI ```typescript import { AzureCliCredential } from "@azure/identity"; const credential = new AzureCliCredential(); // Uses: az login ``` ### Azure Developer CLI ```typescript import { AzureDeveloperCliCredential } from "@azure/identity"; const credential = new AzureDeveloperCliCredential(); // Uses: azd auth login ``` ### Azure PowerShell ```typescript import { AzurePowerShellCredential } from "@azure/identity"; const credential = new AzurePowerShellCredential(); // Uses: Connect-AzAccount ``` ## Sovereign Clouds ```typescript import { ClientSecretCredential, AzureAuthorityHosts } from "@azure/identity"; // Azure Government const credential = new ClientSecretCredential( "", "", "", { authorityHost: AzureAuthorityHosts.AzureGovernment } ); // Azure China const credentialChina = new ClientSecretCredential( "", "", "", { authorityHost: AzureAuthorityHosts.AzureChina } ); ``` ## Bearer Token Provider ```typescript import { DefaultAzureCredential, getBearerTokenProvider } from "@azure/identity"; const credential = new DefaultAzureCredential(); // Create a function that returns tokens const getAccessToken = getBearerTokenProvider( credential, "https://cognitiveservices.azure.com/.default" ); // Use with APIs that need bearer tokens const token = await getAccessToken(); ``` ## Key Types ```typescript import type { TokenCredential, AccessToken, GetTokenOptions } from "@azure/core-auth"; import { DefaultAzureCredential, DefaultAzureCredentialOptions, ManagedIdentityCredential, ClientSecretCredential, ClientCertificateCredential, InteractiveBrowserCredential, ChainedTokenCredential, AzureCliCredential, AzurePowerShellCredential, AzureDeveloperCliCredential, DeviceCodeCredential, AzureAuthorityHosts } from "@azure/identity"; ``` ## Custom Credential Implementation ```typescript import type { TokenCredential, AccessToken, GetTokenOptions } from "@azure/core-auth"; class CustomCredential implements TokenCredential { async getToken( scopes: string | string[], options?: GetTokenOptions ): Promise { // Custom token acquisition logic return { token: "", expiresOnTimestamp: Date.now() + 3600000 }; } } ``` ## Debugging ```typescript import { setLogLevel, AzureLogger } from "@azure/logger"; setLogLevel("verbose"); // Custom log handler AzureLogger.log = (...args) => { console.log("[Azure]", ...args); }; ``` ## Best Practices 1. **Use DefaultAzureCredential** - Works in development (CLI) and production (managed identity) 2. **Never hardcode credentials** - Use environment variables or managed identity 3. **Prefer managed identity** - No secrets to manage in production 4. **Scope credentials appropriately** - Use user-assigned identity for multi-tenant scenarios 5. **Handle token refresh** - Azure SDK handles this automatically 6. **Use ChainedTokenCredential** - For custom fallback scenarios