AzurePipelinesCredential Class
Authenticates using Microsoft Entra Workload ID in Azure Pipelines.
This credential enables authentication in Azure Pipelines using workload identity federation for Azure service connections.
- Inheritance
-
builtins.objectAzurePipelinesCredential
Constructor
AzurePipelinesCredential(*, tenant_id: str, client_id: str, service_connection_id: str, system_access_token: str, **kwargs: Any)Keyword-Only Parameters
| Name | Description |
|---|---|
|
tenant_id
|
The tenant ID for the service connection. Required. |
|
client_id
|
The client ID for the service connection. Required. |
|
service_connection_id
|
The service connection ID for the service connection associated with the pipeline. From the service connection's configuration page URL in the Azure DevOps web portal, the ID is the value of the "resourceId" query parameter. Required. |
|
system_access_token
|
The pipeline's System.AccessToken value. It is recommended to assign the value of System.AccessToken to a secure variable in the Azure Pipelines environment. See https://learn.microsoft.com/azure/devops/pipelines/build/variables#systemaccesstoken for more info. Required. |
|
authority
|
Authority of a Microsoft Entra endpoint, for example "login.microsoftonline.com", the authority for Azure Public Cloud (which is the default). AzureAuthorityHosts defines authorities for other clouds. |
|
additionally_allowed_tenants
|
Specifies tenants in addition to the specified "tenant_id" for which the credential may acquire tokens. Add the wildcard value "*" to allow the credential to acquire tokens for any tenant the application can access. |
Examples
Create an AzurePipelinesCredential.
import os
from azure.identity import AzurePipelinesCredential
credential = AzurePipelinesCredential(
system_access_token=os.environ["SYSTEM_ACCESSTOKEN"],
tenant_id="<tenant_id>",
client_id="<client_id>",
service_connection_id="<service_connection_id>",
)
Methods
| close |
Close the credential's transport session. |
| get_token |
Request an access token for scopes. This method is called automatically by Azure SDK clients. |
| get_token_info |
Request an access token for scopes. This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. |
close
Close the credential's transport session.
close() -> Noneget_token
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, enable_cae: bool = False, **kwargs: Any) -> AccessTokenParameters
| Name | Description |
|---|---|
|
scopes
Required
|
desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
claims
|
additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure. |
|
tenant_id
|
optional tenant to include in the token request. |
|
enable_cae
|
indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False. |
Returns
| Type | Description |
|---|---|
|
An access token with the desired scopes. |
Exceptions
| Type | Description |
|---|---|
|
the credential is unable to attempt authentication because it lacks required data, state, or platform support |
|
|
authentication failed. The error's |
get_token_info
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
get_token_info(*scopes: str, options: TokenRequestOptions | None = None) -> AccessTokenInfoParameters
| Name | Description |
|---|---|
|
scopes
Required
|
desired scope for the access token. This method requires at least one scope. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
options
|
A dictionary of options for the token request. Unknown options will be ignored. Optional. |
Returns
| Type | Description |
|---|---|
|
<xref:AccessTokenInfo>
|
An AccessTokenInfo instance containing information about the token. |
Exceptions
| Type | Description |
|---|---|
|
authentication failed. The error's |
Azure SDK for Python