azidentity – github.com/Azure/azure-sdk-for-go/sdk/azidentity Index | Examples | Files

package azidentity

import "github.com/Azure/azure-sdk-for-go/sdk/azidentity"

Index

Examples

Constants 

const EventAuthentication log.Event = "Authentication"

EventAuthentication entries contain information about authentication. This includes information like the names of environment variables used when obtaining credentials and the type of credential used.

Functions

func ParseCertificates 

func ParseCertificates(certData []byte, password []byte) ([]*x509.Certificate, crypto.PrivateKey, error)

ParseCertificates loads certificates and a private key for use with NewClientCertificateCredential. certData: certificate data encoded in PEM or PKCS12 format, including the certificate's private key. password: the password required to decrypt the private key. Pass nil if the key is not encrypted. This function can't decrypt keys in PEM format.

Types

type AuthenticationFailedError 

type AuthenticationFailedError struct {

	// RawResponse is the HTTP response motivating the error, if available.
	RawResponse *http.Response
	// contains filtered or unexported fields
}

AuthenticationFailedError indicates an authentication request has failed.

func (AuthenticationFailedError) Error 

func (e AuthenticationFailedError) Error() string

Error implements the error interface for type ResponseError. Note that the message contents are not contractual and can change over time.

func (AuthenticationFailedError) NonRetriable 

func (AuthenticationFailedError) NonRetriable()

NonRetriable indicates that this error should not be retried.

type AuthorizationCodeCredential 

type AuthorizationCodeCredential struct {
	// contains filtered or unexported fields
}

AuthorizationCodeCredential authenticates by redeeming an authorization code previously obtained from Azure Active Directory. The authorization code flow is described in more detail in Azure Active Directory documentation: https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-auth-code-flow

func NewAuthorizationCodeCredential 

func NewAuthorizationCodeCredential(tenantID string, clientID string, authCode string, redirectURL string, options *AuthorizationCodeCredentialOptions) (*AuthorizationCodeCredential, error)

NewAuthorizationCodeCredential constructs an AuthorizationCodeCredential. tenantID: The application's Azure Active Directory tenant or directory ID. clientID: The application's client ID. authCode: The authorization code received from the authorization code flow. Note that authorization codes are single-use. redirectURL: The application's redirect URL. Must match the redirect URL used to request the authorization code. options: Optional configuration. Pass nil to accept default settings.

func (*AuthorizationCodeCredential) GetToken 

func (c *AuthorizationCodeCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory by redeeming the authorization code. This method is called automatically by Azure SDK clients. ctx: Context controlling the request lifetime. opts: Options for the token request, in particular the desired scope of the access token.

type AuthorizationCodeCredentialOptions 

type AuthorizationCodeCredentialOptions struct {
	azcore.ClientOptions

	// ClientSecret is one of the application's client secrets.
	ClientSecret string
}

AuthorizationCodeCredentialOptions contains optional parameters for AuthorizationCodeCredential.

type AzureCLICredential 

type AzureCLICredential struct {
	// contains filtered or unexported fields
}

AzureCLICredential authenticates as the identity logged in to the Azure CLI.

func NewAzureCLICredential 

func NewAzureCLICredential(options *AzureCLICredentialOptions) (*AzureCLICredential, error)

NewAzureCLICredential constructs an AzureCLICredential. options: Optional configuration. Pass nil to accept default settings.

func (*AzureCLICredential) GetToken 

func (c *AzureCLICredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken requests a token from the Azure CLI. This credential doesn't cache tokens, so every call invokes the CLI. This method is called automatically by Azure SDK clients. ctx: Context controlling the request lifetime. opts: Options for the token request, in particular the desired scope of the access token.

type AzureCLICredentialOptions 

type AzureCLICredentialOptions struct {

	// TenantID identifies the tenant the credential should authenticate in.
	// Defaults to the CLI's default tenant, which is typically the home tenant of the logged in user.
	TenantID string
	// contains filtered or unexported fields
}

AzureCLICredentialOptions contains optional parameters for AzureCLICredential.

type ChainedTokenCredential 

type ChainedTokenCredential struct {
	// contains filtered or unexported fields
}

ChainedTokenCredential is a chain of credentials that enables fallback behavior when a credential can't authenticate. By default, this credential will assume that the first successful credential should be the only credential used on future requests. If the `RetrySources` option is set to true, it will always try to get a token using all of the originally provided credentials.

func NewChainedTokenCredential 

func NewChainedTokenCredential(sources []azcore.TokenCredential, options *ChainedTokenCredentialOptions) (*ChainedTokenCredential, error)

NewChainedTokenCredential creates a ChainedTokenCredential. sources: Credential instances to comprise the chain. GetToken() will invoke them in the given order. options: Optional configuration. Pass nil to accept default settings.

func (*ChainedTokenCredential) GetToken 

func (c *ChainedTokenCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken calls GetToken on the chained credentials in turn, stopping when one returns a token. This method is called automatically by Azure SDK clients. ctx: Context controlling the request lifetime. opts: Options for the token request, in particular the desired scope of the access token.

type ChainedTokenCredentialOptions 

type ChainedTokenCredentialOptions struct {
	// RetrySources configures how the credential uses its sources.
	// When true, the credential will always request a token from each source in turn,
	// stopping when one provides a token. When false, the credential requests a token
	// only from the source that previously retrieved a token--it never again tries the sources which failed.
	RetrySources bool
}

ChainedTokenCredentialOptions contains optional parameters for ChainedTokenCredential.

type ClientCertificateCredential 

type ClientCertificateCredential struct {
	// contains filtered or unexported fields
}

ClientCertificateCredential authenticates a service principal with a certificate.

func NewClientCertificateCredential 

func NewClientCertificateCredential(tenantID string, clientID string, certs []*x509.Certificate, key crypto.PrivateKey, options *ClientCertificateCredentialOptions) (*ClientCertificateCredential, error)

NewClientCertificateCredential constructs a ClientCertificateCredential. tenantID: The application's Azure Active Directory tenant or directory ID. clientID: The application's client ID. certs: one or more certificates, for example as returned by ParseCertificates() key: the signing certificate's private key, for example as returned by ParseCertificates() options: Optional configuration. Pass nil to accept default settings.

Example

Code: 

{
	data, err := os.ReadFile(certPath)
	handleError(err)

	// NewClientCertificateCredential requires at least one *x509.Certificate, and a crypto.PrivateKey.
	// ParseCertificates returns these given certificate data in PEM or PKCS12 format. It handles common scenarios
	// but has limitations, for example it doesn't load PEM encrypted private keys.
	certs, key, err := azidentity.ParseCertificates(data, nil)
	handleError(err)

	cred, err = azidentity.NewClientCertificateCredential(tenantID, clientID, certs, key, nil)
	handleError(err)

	// Output:
}

func (*ClientCertificateCredential) GetToken 

func (c *ClientCertificateCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory. This method is called automatically by Azure SDK clients. ctx: Context controlling the request lifetime. opts: Options for the token request, in particular the desired scope of the access token.

type ClientCertificateCredentialOptions 

type ClientCertificateCredentialOptions struct {
	azcore.ClientOptions

	// SendCertificateChain controls whether the credential sends the public certificate chain in the x5c
	// header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication.
	// Defaults to False.
	SendCertificateChain bool
}

ClientCertificateCredentialOptions contains optional parameters for ClientCertificateCredential.

type ClientID 

type ClientID string

ClientID is an identity's client ID. Use it with ManagedIdentityCredentialOptions, for example: ManagedIdentityCredentialOptions{ID: ClientID("7cf7db0d-...")}

func (ClientID) String 

func (c ClientID) String() string

String returns the string of ClientID

type ClientSecretCredential 

type ClientSecretCredential struct {
	// contains filtered or unexported fields
}

ClientSecretCredential authenticates an application with a client secret.

func NewClientSecretCredential 

func NewClientSecretCredential(tenantID string, clientID string, clientSecret string, options *ClientSecretCredentialOptions) (*ClientSecretCredential, error)

NewClientSecretCredential constructs a ClientSecretCredential. tenantID: The application's Azure Active Directory tenant or directory ID. clientID: The application's client ID. clientSecret: One of the application's client secrets. options: Optional configuration. Pass nil to accept default settings.

func (*ClientSecretCredential) GetToken 

func (c *ClientSecretCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory. This method is called automatically by Azure SDK clients. ctx: Context used to control the request lifetime. opts: Options for the token request, in particular the desired scope of the access token.

type ClientSecretCredentialOptions 

type ClientSecretCredentialOptions struct {
	azcore.ClientOptions
}

ClientSecretCredentialOptions contains optional parameters for ClientSecretCredential.

type DefaultAzureCredential 

type DefaultAzureCredential struct {
	// contains filtered or unexported fields
}

DefaultAzureCredential is a default credential chain for applications that will deploy to Azure. It combines credentials suitable for deployment with credentials suitable for local development. It attempts to authenticate with each of these credential types, in the following order, stopping when one provides a token: - EnvironmentCredential - ManagedIdentityCredential - AzureCLICredential Consult the documentation for these credential types for more information on how they authenticate.

func NewDefaultAzureCredential 

func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*DefaultAzureCredential, error)

NewDefaultAzureCredential creates a DefaultAzureCredential.

func (*DefaultAzureCredential) GetToken 

func (c *DefaultAzureCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (token *azcore.AccessToken, err error)

GetToken obtains a token from Azure Active Directory. This method is called automatically by Azure SDK clients. ctx: Context used to control the request lifetime. opts: Options for the token request, in particular the desired scope of the access token.

type DefaultAzureCredentialOptions 

type DefaultAzureCredentialOptions struct {
	azcore.ClientOptions

	// TenantID identifies the tenant the Azure CLI should authenticate in.
	// Defaults to the CLI's default tenant, which is typically the home tenant of the user logged in to the CLI.
	TenantID string
}

DefaultAzureCredentialOptions contains optional parameters for DefaultAzureCredential. These options may not apply to all credentials in the chain.

type DeviceCodeCredential 

type DeviceCodeCredential struct {
	// contains filtered or unexported fields
}

DeviceCodeCredential acquires tokens for a user via the device code flow, which has the user browse to an Azure Active Directory URL, enter a code, and authenticate. It's useful for authenticating a user in an environment without a web browser, such as an SSH session. If a web browser is available, InteractiveBrowserCredential is more convenient because it automatically opens a browser to the login page.

func NewDeviceCodeCredential 

func NewDeviceCodeCredential(options *DeviceCodeCredentialOptions) (*DeviceCodeCredential, error)

NewDeviceCodeCredential creates a DeviceCodeCredential. options: Optional configuration. Pass nil to accept default settings.

func (*DeviceCodeCredential) GetToken 

func (c *DeviceCodeCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory. It will begin the device code flow and poll until the user completes authentication. This method is called automatically by Azure SDK clients. ctx: Context used to control the request lifetime. opts: Options for the token request, in particular the desired scope of the access token.

type DeviceCodeCredentialOptions 

type DeviceCodeCredentialOptions struct {
	azcore.ClientOptions

	// TenantID is the Azure Active Directory tenant the credential authenticates in. Defaults to the
	// "organizations" tenant, which can authenticate work and school accounts. Required for single-tenant
	// applications.
	TenantID string
	// ClientID is the ID of the application users will authenticate to.
	// Defaults to the ID of an Azure development application.
	ClientID string
	// UserPrompt controls how the credential presents authentication instructions. The credential calls
	// this function with authentication details when it receives a device code. By default, the credential
	// prints these details to stdout.
	UserPrompt func(context.Context, DeviceCodeMessage) error
}

DeviceCodeCredentialOptions contains optional parameters for DeviceCodeCredential.

type DeviceCodeMessage 

type DeviceCodeMessage struct {
	// UserCode is the user code returned by the service.
	UserCode string `json:"user_code"`
	// VerificationURL is the URL at which the user must authenticate.
	VerificationURL string `json:"verification_uri"`
	// Message is user instruction from Azure Active Directory.
	Message string `json:"message"`
}

DeviceCodeMessage contains the information a user needs to complete authentication.

type EnvironmentCredential 

type EnvironmentCredential struct {
	// contains filtered or unexported fields
}

EnvironmentCredential authenticates a service principal with a secret or certificate, or a user with a password, depending on environment variable configuration. It reads configuration from these variables, in the following order:

Service principal: - AZURE_TENANT_ID: ID of the service principal's tenant. Also called its "directory" ID. - AZURE_CLIENT_ID: the service principal's client ID - AZURE_CLIENT_SECRET: one of the service principal's client secrets

Service principal with certificate:

User with username and password:

func NewEnvironmentCredential 

func NewEnvironmentCredential(options *EnvironmentCredentialOptions) (*EnvironmentCredential, error)

NewEnvironmentCredential creates an EnvironmentCredential. options: Optional configuration. Pass nil to accept default settings.

func (*EnvironmentCredential) GetToken 

func (c *EnvironmentCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory. This method is called automatically by Azure SDK clients. ctx: Context used to control the request lifetime. opts: Options for the token request, in particular the desired scope of the access token.

type EnvironmentCredentialOptions 

type EnvironmentCredentialOptions struct {
	azcore.ClientOptions
}

EnvironmentCredentialOptions contains optional parameters for EnvironmentCredential

type InteractiveBrowserCredential 

type InteractiveBrowserCredential struct {
	// contains filtered or unexported fields
}

InteractiveBrowserCredential opens a browser to interactively authenticate a user.

func NewInteractiveBrowserCredential 

func NewInteractiveBrowserCredential(options *InteractiveBrowserCredentialOptions) (*InteractiveBrowserCredential, error)

NewInteractiveBrowserCredential constructs a new InteractiveBrowserCredential. options: Optional configuration. Pass nil to accept default settings.

func (*InteractiveBrowserCredential) GetToken 

func (c *InteractiveBrowserCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory. This method is called automatically by Azure SDK clients. ctx: Context used to control the request lifetime. opts: Options for the token request, in particular the desired scope of the access token.

type InteractiveBrowserCredentialOptions 

type InteractiveBrowserCredentialOptions struct {
	azcore.ClientOptions

	// TenantID is the Azure Active Directory tenant the credential authenticates in. Defaults to the
	// "organizations" tenant, which can authenticate work and school accounts.
	TenantID string
	// ClientID is the ID of the application users will authenticate to.
	// Defaults to the ID of an Azure development application.
	ClientID string
	// RedirectURL will be supported in a future version but presently doesn't work: https://github.com/Azure/azure-sdk-for-go/issues/15632.
	// Applications which have "http://localhost" registered as a redirect URL need not set this option.
	RedirectURL string
}

InteractiveBrowserCredentialOptions contains optional parameters for InteractiveBrowserCredential.

type ManagedIDKind 

type ManagedIDKind interface {
	fmt.Stringer
	// contains filtered or unexported methods
}

ManagedIDKind identifies the ID of a managed identity as either a client or resource ID

type ManagedIdentityCredential 

type ManagedIdentityCredential struct {
	// contains filtered or unexported fields
}

ManagedIdentityCredential authenticates with an Azure managed identity in any hosting environment which supports managed identities. This credential defaults to using a system-assigned identity. Use ManagedIdentityCredentialOptions.ID to specify a user-assigned identity. See Azure Active Directory documentation for more information about managed identities: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview

func NewManagedIdentityCredential 

func NewManagedIdentityCredential(options *ManagedIdentityCredentialOptions) (*ManagedIdentityCredential, error)

NewManagedIdentityCredential creates a ManagedIdentityCredential. options: Optional configuration. Pass nil to accept default settings.

Example (UserAssigned)

Code: 

{
	// select a user assigned identity with its client ID...
	clientID := azidentity.ClientID("abcd1234-...")
	opts := azidentity.ManagedIdentityCredentialOptions{ID: clientID}
	cred, err = azidentity.NewManagedIdentityCredential(&opts)
	handleError(err)

	// ...or its resource ID
	resourceID := azidentity.ResourceID("/subscriptions/...")
	opts = azidentity.ManagedIdentityCredentialOptions{ID: resourceID}
	cred, err = azidentity.NewManagedIdentityCredential(&opts)
	handleError(err)
}

func (*ManagedIdentityCredential) GetToken 

func (c *ManagedIdentityCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory. This method is called automatically by Azure SDK clients. ctx: Context used to control the request lifetime. opts: Options for the token request, in particular the desired scope of the access token.

type ManagedIdentityCredentialOptions 

type ManagedIdentityCredentialOptions struct {
	azcore.ClientOptions

	// ID is the ID of a managed identity the credential should authenticate. Set this field to use a specific identity
	// instead of the hosting environment's default. The value may be the identity's client ID or resource ID, but note that
	// some platforms don't accept resource IDs.
	ID ManagedIDKind
}

ManagedIdentityCredentialOptions contains optional parameters for ManagedIdentityCredential.

type ResourceID 

type ResourceID string

ResourceID is an identity's resource ID. Use it with ManagedIdentityCredentialOptions, for example: ManagedIdentityCredentialOptions{ID: ResourceID("/subscriptions/...")}

func (ResourceID) String 

func (r ResourceID) String() string

String returns the string of ResourceID

type UsernamePasswordCredential 

type UsernamePasswordCredential struct {
	// contains filtered or unexported fields
}

UsernamePasswordCredential authenticates user with a password. Microsoft doesn't recommend this kind of authentication, because it's less secure than other authentication flows. This credential is not interactive, so it isn't compatible with any form of multi-factor authentication, and the application must already have user or admin consent. This credential can only authenticate work and school accounts; it can't authenticate Microsoft accounts.

func NewUsernamePasswordCredential 

func NewUsernamePasswordCredential(tenantID string, clientID string, username string, password string, options *UsernamePasswordCredentialOptions) (*UsernamePasswordCredential, error)

NewUsernamePasswordCredential creates a UsernamePasswordCredential. tenantID: The ID of the Azure Active Directory tenant the credential authenticates in. clientID: The ID of the application users will authenticate to. username: A username (typically an email address). password: That user's password. options: Optional configuration. Pass nil to accept default settings.

func (*UsernamePasswordCredential) GetToken 

func (c *UsernamePasswordCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory. This method is called automatically by Azure SDK clients. ctx: Context used to control the request lifetime. opts: Options for the token request, in particular the desired scope of the access token.

type UsernamePasswordCredentialOptions 

type UsernamePasswordCredentialOptions struct {
	azcore.ClientOptions
}

UsernamePasswordCredentialOptions contains optional parameters for UsernamePasswordCredential.

Source Files

authorization_code_credential.go azidentity.go azure_cli_credential.go chained_token_credential.go client_certificate_credential.go client_secret_credential.go default_azure_credential.go device_code_credential.go doc.go environment_credential.go errors.go interactive_browser_credential.go logging.go managed_identity_client.go managed_identity_credential.go username_password_credential.go version.go

Version
v0.14.0
Published
Apr 5, 2022
Platform
windows/amd64
Imports
34 packages
Last checked
1 week ago

Tools for package owners.