Azure Python身份验证

低风险

作者 @sickn33已验证来源

4.2510 次安装v1.0.0更新于 2026年5月25日

使用方式

在 Claude Code 中运行以下命令

第一步：添加 Marketplace

/plugin marketplace add sickn33/antigravity-awesome-skills

第二步：安装插件

/plugin install antigravity-awesome-skills@antigravity-awesome-skills

关于

Azure Identity Python SDK 认证。适用于 DefaultAzureCredential、托管身份、服务主体和令牌缓存。

name: azure-identity-py description: Azure Identity SDK Python 认证。用于 DefaultAzureCredential、托管标识、服务主体和令牌缓存。 risk: unknown source: community date_added: '2026-02-27'

Azure Identity SDK for Python

使用 Microsoft Entra ID（原 Azure AD）为 Azure SDK 客户端提供认证的库。

安装

pip install azure-identity

环境变量

# Service Principal (for production/CI)
AZURE_TENANT_ID=<your-tenant-id>
AZURE_CLIENT_ID=<your-client-id>
AZURE_CLIENT_SECRET=<your-client-secret>

# User-assigned Managed Identity (optional)
AZURE_CLIENT_ID=<managed-identity-client-id>

DefaultAzureCredential

大多数场景推荐的凭据。按顺序尝试多种认证方法：

from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient

# Works in local dev AND production without code changes
credential = DefaultAzureCredential()

client = BlobServiceClient(
    account_url="https://<account>.blob.core.windows.net",
    credential=credential
)

凭据链顺序

| 顺序 | 凭据 | 环境 | |-------|-----------|-------------| | 1 | EnvironmentCredential | CI/CD、容器 | | 2 | WorkloadIdentityCredential | Kubernetes | | 3 | ManagedIdentityCredential | Azure VM、App Service、Functions | | 4 | SharedTokenCacheCredential | 仅 Windows | | 5 | VisualStudioCodeCredential | 带 Azure 扩展的 VS Code | | 6 | AzureCliCredential | az login | | 7 | AzurePowerShellCredential | Connect-AzAccount | | 8 | AzureDeveloperCliCredential | azd auth login |

自定义 DefaultAzureCredential

# Exclude credentials you don't need
credential = DefaultAzureCredential(
    exclude_environment_credential=True,
    exclude_shared_token_cache_credential=True,
    managed_identity_client_id="<user-assigned-mi-client-id>"
)

# Enable interactive browser (disabled by default)
credential = DefaultAzureCredential(
    exclude_interactive_browser_credential=False
)

特定凭据类型

ManagedIdentityCredential

用于 Azure 托管资源（VM、App Service、Functions、AKS）：

from azure.identity import ManagedIdentityCredential

# System-assigned managed identity
credential = ManagedIdentityCredential()

# User-assigned managed identity
credential = ManagedIdentityCredential(
    client_id="<user-assigned-mi-client-id>"
)

ClientSecretCredential

用于带密钥的服务主体：

from azure.identity import ClientSecretCredential

credential = ClientSecretCredential(
    tenant_id=os.environ["AZURE_TENANT_ID"],
    client_id=os.environ["AZURE_CLIENT_ID"],
    client_secret=os.environ["AZURE_CLIENT_SECRET"]
)

AzureCliCredential

使用 az login 的账户：

from azure.identity import AzureCliCredential

credential = AzureCliCredential()

ChainedTokenCredential

自定义凭据链：

from azure.identity import (
    ChainedTokenCredential,
    ManagedIdentityCredential,
    AzureCliCredential
)

# Try managed identity first, fall back to CLI
credential = ChainedTokenCredential(
    ManagedIdentityCredential(client_id="<user-assigned-mi-client-id>"),
    AzureCliCredential()
)

凭据类型表

| 凭据 | 使用场景 | 认证方法 | |------------|----------|-------------| | DefaultAzureCredential | 大多数场景 | 自动检测 | | ManagedIdentityCredential | Azure 托管应用 | 托管标识 | | ClientSecretCredential | 服务主体 | 客户端密钥 | | ClientCertificateCredential | 服务主体 | 证书 | | AzureCliCredential | 本地开发 | Azure CLI | | AzureDeveloperCliCredential | 本地开发 | Azure Developer CLI | | InteractiveBrowserCredential | 用户登录 | 浏览器 OAuth | | DeviceCodeCredential | 无头/SSH | 设备代码流 |

直接获取令牌

from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()

# Get token for a specific scope
token = credential.get_token("https://management.azure.com/.default")
print(f"Token expires: {token.expires_on}")

# For Azure Database for PostgreSQL
token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")

异步客户端

from azure.identity.aio import DefaultAzureCredential
from azure.storage.blob.aio import BlobServiceClient

async def main():
    credential = DefaultAzureCredential()
    
    async with BlobServiceClient(
        account_url="https://<account>.blob.core.windows.net",
        credential=credential
    ) as client:
        pass
    
    await credential.close()

最佳实践

使用 DefaultAzureCredential 用于在本地和 Azure 中运行的代码
永远不要硬编码凭据——使用环境变量或托管标识
优先使用托管标识用于 Azure 托管的应用
使用 ChainedTokenCredential 当需要自定义回退顺序时
关闭异步凭据 使用 await credential.close() 或 async with

限制

仅在任务明确匹配上述描述范围时使用此技能。
不要将输出视为环境特定验证、测试或专家审查的替代品。
如果缺少所需输入、权限、安全边界或成功标准，请停下来要求澄清。

兼容工具

Claude CodeCursor