Skip to content

[Identity] Update AZURE_TOKEN_CREDENTIALS to allow specific creds #41709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 10, 2025
Merged

[Identity] Update AZURE_TOKEN_CREDENTIALS to allow specific creds #41709

merged 4 commits into from
Jul 10, 2025

Conversation

pvaneck
Copy link
Member

@pvaneck pvaneck commented Jun 21, 2025
edited
Loading

Now, users of DefaultAzureCredential can specify a specific credential in the DAC chain when using the AZURE_TOKEN_CREDENTIALS environment variable.

  • If a user specifies a specific credential in the chain, then that will be the only credential in the chain.
  • For credentials excluded by default (e.g. InteractiveBrowserCredential), if that credential is set in the env var, then its inclusion will be prioritized. For example, AZURE_TOKEN_CREDENTIALS=InteractiveBrowserCredential will make DefaultAzureCredential() use InteractiveBrowserCredential.
  • If a user explicitly sets an exclusion keyword argument corresponding to the credential set in the env var, then its value will take precedence over the env var. For example: 
    AZURE_TOKEN_CREDENTIALS=EnvironmentCredential

# The following will raise a ValueError since no credentials are in the chain.
credential = DefaultAzureCredential(exclude_environment_credential=True)

Closes: #39784

@pvaneck
[Identity] Update AZURE_TOKEN_CREDENTIALs to allow specific creds
ad8d6ce 
Now users of DefaultAzureCredential can specify a specific credential in
the DAC chain when using the AZURE_TOKEN_CREDENTIALS environment variable.

Signed-off-by: Paul Van Eck <[email protected]>
@pvaneck pvaneck force-pushed the identity-phase-2 branch from 0eec386 to ad8d6ce Compare June 27, 2025 01:59
@pvaneck pvaneck marked this pull request as ready for review June 27, 2025 02:38
@Copilot Copilot AI review requested due to automatic review settings June 27, 2025 02:38
@pvaneck pvaneck requested review from xiangyan99 and a team as code owners June 27, 2025 02:38
Copilot
Copilot AI reviewed Jun 27, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enables users to select a specific credential within DefaultAzureCredential by setting the AZURE_TOKEN_CREDENTIALS environment variable, refactors the credential-exclusion logic into a reusable helper, adds comprehensive tests for both async and sync chains, and updates versioning and metadata to reflect the new beta release.

  • Introduced process_credential_exclusions in internal utils and wired it into async & sync DefaultAzureCredential constructors.
  • Expanded test coverage for async and sync chains to validate specific credential selection, case-insensitivity, invalid values, and user overrides.
  • Updated package metadata (setup.py classifier, version, changelog) for the 1.24.0b1 beta release.

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
sdk/identity/azure-identity/tests/test_token_credentials_env_async.py Added async tests covering specific credential selection via env var.
sdk/identity/azure-identity/tests/test_token_credentials_env.py Added sync tests covering specific credential selection via env var.
sdk/identity/azure-identity/setup.py Changed development status classifier to Beta.
sdk/identity/azure-identity/azure/identity/aio/_credentials/default.py Refactored async DefaultAzureCredential to use process_credential_exclusions.
sdk/identity/azure-identity/azure/identity/_credentials/default.py Refactored sync DefaultAzureCredential to use process_credential_exclusions.
sdk/identity/azure-identity/azure/identity/_internal/utils.py Introduced process_credential_exclusions helper for managing exclusions.
sdk/identity/azure-identity/azure/identity/_internal/init.py Exported process_credential_exclusions in internal package init.
sdk/identity/azure-identity/azure/identity/_version.py Bumped version to 1.24.0b1.
sdk/identity/azure-identity/CHANGELOG.md Documented new AZURE_TOKEN_CREDENTIALS feature and version update.
Comments suppressed due to low confidence (2)

sdk/identity/azure-identity/azure/identity/aio/_credentials/default.py:128

  • The class docstring for DefaultAzureCredential should include a description of the new AZURE_TOKEN_CREDENTIALS environment variable and how it controls which credential is used, ensuring users know how to configure this feature.
        # Define credential configuration mapping (async version)

sdk/identity/azure-identity/azure/identity/_credentials/default.py:136

  • Add documentation in the class docstring to explain the supported values of AZURE_TOKEN_CREDENTIALS and how the exclusion flags interact, so the sync DefaultAzureCredential API matches its behavior.
        # Define credential configuration mapping

@pvaneck pvaneck changed the title [Identity] Update AZURE_TOKEN_CREDENTIALs to allow specific creds [Identity] Update AZURE_TOKEN_CREDENTIALS to allow specific creds Jun 27, 2025
chlowell
chlowell reviewed Jun 27, 2025
View reviewed changes
xiangyan99
xiangyan99 reviewed Jul 1, 2025
View reviewed changes
@joshfree joshfree moved this from Untriaged to In Progress in Azure Identity SDK Improvements Jul 1, 2025
@pvaneck
update changelog + readme
f2cfc61 
Signed-off-by: Paul Van Eck <[email protected]>
scottaddie
scottaddie reviewed Jul 8, 2025
View reviewed changes
chlowell
chlowell reviewed Jul 8, 2025
View reviewed changes
@pvaneck
Test and doc updates
8e9c61d 
Signed-off-by: Paul Van Eck <[email protected]>
@pvaneck pvaneck force-pushed the identity-phase-2 branch from f5786b8 to 8e9c61d Compare July 8, 2025 22:22
xiangyan99
xiangyan99 reviewed Jul 9, 2025
View reviewed changes
@pvaneck pvaneck merged commit fb3837b into Azure:main Jul 10, 2025
20 checks passed
@pvaneck pvaneck deleted the identity-phase-2 branch July 10, 2025 21:46
@github-project-automation github-project-automation bot moved this from In Progress to Done in Azure Identity SDK Improvements Jul 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scottaddie scottaddie scottaddie left review comments

@xiangyan99 xiangyan99 xiangyan99 left review comments

Copilot code review Copilot Copilot left review comments

@joshfree joshfree joshfree approved these changes

@chlowell chlowell chlowell approved these changes

@maorleger maorleger Awaiting requested review from maorleger maorleger is a code owner automatically assigned from Azure/azure-sdk-write-identity

@christothes christothes Awaiting requested review from christothes christothes is a code owner automatically assigned from Azure/azure-sdk-write-identity

@KarishmaGhiya KarishmaGhiya Awaiting requested review from KarishmaGhiya KarishmaGhiya is a code owner automatically assigned from Azure/azure-sdk-write-identity

@minhanh-phan minhanh-phan Awaiting requested review from minhanh-phan minhanh-phan is a code owner automatically assigned from Azure/azure-sdk-write-identity

Assignees

@pvaneck pvaneck

Labels
Azure.Identity
Projects
Azure Identity SDK Improvements
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

AZURE_TOKEN_CREDENTIALS Phase-2
5 participants
@pvaneck @joshfree @scottaddie @chlowell @xiangyan99