@azure/identity

This library simplifies authentication against Azure Active Directory for Azure SDK libraries. It provides a set of TokenCredential implementations which can be passed into SDK libraries to authenticate API requests. It supports token authentication using an Azure Active Directory service principal or managed identity.

• an Azure subscription
• Node.js 8 LTS or higher

Install Azure Identity with npm:

npm install --save @azure/identity

If this is your first time using @azure/identity or the Microsoft identity platform (Azure Active Directory), we recommend that you read Using @azure/identity with Microsoft Identity Platform first. This document will give you a deeper understanding of the platform and how to configure your Azure account correctly.

Azure Identity offers a variety of credential classes that are accepted by Azure SDK data plane clients. Each client library documents its Azure Identity integration in its README and samples. Azure SDK management plane libraries (those starting with @azure/arm-*) do not accept these credentials.

Credentials differ mostly in configuration:

Credentials can be chained and tried in turn until one succeeds; see chaining credentials for details.

DefaultAzureCredential is appropriate for most scenarios. It supports authenticating as a service principal or managed identity. To authenticate as a service principal, provide configuration in environment variables as described in the next section. Currently this credential attempts to use the EnvironmentCredential and ManagedIdentityCredential, in that order.

Authenticating as a managed identity requires no configuration, but does require platform support. See the managed identity documentation for more information.

DefaultAzureCredential and EnvironmentCredential are configured for service principal authentication with these environment variables:

const { KeyClient } = require("@azure/keyvault-keys");const { DefaultAzureCredential } = require("@azure/identity");const credential = new DefaultAzureCredential();const client = new KeyClient(vaultUrl, credential);const getResult = await client.getKey("MyKeyName");

const { ClientSecretCredential } = require("@azure/identity");const credential = new ClientSecretCredential(tenantId, clientId, clientSecret);const { ClientCertificateCredential } = require("@azure/identity");const credential = new ClientCertificateCredential( tenantId, clientId, "/app/certs/certificate.pem");const { EnvironmentCredential } = require("@azure/identity");const credential = new EnvironmentCredential();

The AuthorizationCodeCredential takes more up-front work to use than the other credential types at this time. A full sample demonstrating how to use this credential can be found in samples/authorizationCodeSample.ts.

const { ClientSecretCredential, ChainedTokenCredential } = require("@azure/identity");const firstCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);const secondCredential = new ClientSecretCredential(tenantId, anotherClientId, anotherSecret);const credentialChain = new ChainedTokenCredential(firstCredential, secondCredential);const { KeysClient } = require("@azure/keyvault-keys");const client = new KeysClient(vaultUrl, credentialChain);

Credentials raise AuthenticationError when they fail to authenticate. This class has a message field which describes why authentication failed. An AggregateAuthenticationError will be raised by ChainedTokenCredential with an errors field containing an array of errors from each credential in the chain.

API documentation for this library can be found on our documentation site.

If you encounter bugs or have suggestions, please open an issue.

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit .

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

If you'd like to contribute to this library, please read the contributing guide to learn more about how to build and test the code.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQor contact with any additional questions or comments.