package azidentity

const (
	// AzureChina is a global constant to use in order to access the Azure China cloud.
	AzureChina = "https://login.chinacloudapi.cn/"
	// AzureGermany is a global constant to use in order to access the Azure Germany cloud.
	AzureGermany = "https://login.microsoftonline.de/"
	// AzureGovernment is a global constant to use in order to access the Azure Government cloud.
	AzureGovernment = "https://login.microsoftonline.us/"
	// AzurePublicCloud is a global constant to use in order to access the Azure public cloud.
	AzurePublicCloud = "https://login.microsoftonline.com/"
)

const LogCredential azcore.LogClassification = "Credential"

LogCredential entries contain information about authentication. This includes information like the names of environment variables used when obtaining credentials and the type of credential used.

Types ¶

type AADAuthenticationFailedError ¶

type AADAuthenticationFailedError struct {
	Message       string `json:"error"`
	Description   string `json:"error_description"`
	Timestamp     string `json:"timestamp"`
	TraceID       string `json:"trace_id"`
	CorrelationID string `json:"correlation_id"`
	URI           string `json:"error_uri"`
	Response      *azcore.Response
}

AADAuthenticationFailedError is used to unmarshal error responses received from Azure Active Directory.

func (*AADAuthenticationFailedError) Error ¶

func (e *AADAuthenticationFailedError) Error() string

type AuthenticationFailedError ¶

type AuthenticationFailedError struct {
	// contains filtered or unexported fields
}

AuthenticationFailedError is returned when the authentication request has failed.

func (*AuthenticationFailedError) Error ¶

func (e *AuthenticationFailedError) Error() string

func (*AuthenticationFailedError) NonRetriable ¶

func (e *AuthenticationFailedError) NonRetriable()

NonRetriable indicates that this error should not be retried.

func (*AuthenticationFailedError) Unwrap ¶

func (e *AuthenticationFailedError) Unwrap() error

Unwrap method on AuthenticationFailedError provides access to the inner error if available.

type AzureCLICredential ¶

type AzureCLICredential struct {
	// contains filtered or unexported fields
}

AzureCLICredential enables authentication to Azure Active Directory using the Azure CLI command "az account get-access-token".

func NewAzureCLICredential ¶

func NewAzureCLICredential(options *AzureCLICredentialOptions) (*AzureCLICredential, error)

NewAzureCLICredential constructs a new AzureCLICredential with the details needed to authenticate against Azure Active Directory options: configure the management of the requests sent to Azure Active Directory.

func (*AzureCLICredential) AuthenticationPolicy ¶

func (c *AzureCLICredential) AuthenticationPolicy(options azcore.AuthenticationPolicyOptions) azcore.Policy

AuthenticationPolicy implements the azcore.Credential interface on AzureCLICredential and calls the Bearer Token policy to get the bearer token.

func (*AzureCLICredential) GetToken ¶

func (c *AzureCLICredential) GetToken(ctx context.Context, opts azcore.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory, using the Azure CLI command to authenticate. ctx: Context used to control the request lifetime. opts: TokenRequestOptions contains the list of scopes for which the token will have access. Returns an AccessToken which can be used to authenticate service client calls.

type AzureCLICredentialOptions ¶

type AzureCLICredentialOptions struct {
	TokenProvider AzureCLITokenProvider
}

AzureCLICredentialOptions contains options used to configure the AzureCLICredential

type AzureCLITokenProvider ¶

type AzureCLITokenProvider func(ctx context.Context, resource string) ([]byte, error)

AzureCLITokenProvider can be used to supply the AzureCLICredential with an alternate token provider

type ChainedTokenCredential ¶

type ChainedTokenCredential struct {
	// contains filtered or unexported fields
}

ChainedTokenCredential provides a TokenCredential implementation that chains multiple TokenCredential sources to be tried in order and returns the token from the first successful call to GetToken().

func NewChainedTokenCredential ¶

func NewChainedTokenCredential(sources ...azcore.TokenCredential) (*ChainedTokenCredential, error)

NewChainedTokenCredential creates an instance of ChainedTokenCredential with the specified TokenCredential sources.

func NewDefaultAzureCredential ¶

func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*ChainedTokenCredential, error)

NewDefaultAzureCredential provides a default ChainedTokenCredential configuration for applications that will be deployed to Azure. The following credential types will be tried, in the following order: - EnvironmentCredential - ManagedIdentityCredential - AzureCLICredential Consult the documentation for these credential types for more information on how they attempt authentication.

func (*ChainedTokenCredential) AuthenticationPolicy ¶

func (c *ChainedTokenCredential) AuthenticationPolicy(options azcore.AuthenticationPolicyOptions) azcore.Policy

AuthenticationPolicy implements the azcore.Credential interface on ChainedTokenCredential and sets the bearer token

func (*ChainedTokenCredential) GetToken ¶

func (c *ChainedTokenCredential) GetToken(ctx context.Context, opts azcore.TokenRequestOptions) (token *azcore.AccessToken, err error)

GetToken sequentially calls TokenCredential.GetToken on all the specified sources, returning the token from the first successful call to GetToken().

type ClientCertificateCredential ¶

type ClientCertificateCredential struct {
	// contains filtered or unexported fields
}

ClientCertificateCredential enables authentication of a service principal to Azure Active Directory using a certificate that is assigned to its App Registration. More information on how to configure certificate authentication can be found here: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials#register-your-certificate-with-azure-ad

func NewClientCertificateCredential ¶

func NewClientCertificateCredential(tenantID string, clientID string, clientCertificate string, password *string, options *TokenCredentialOptions) (*ClientCertificateCredential, error)

NewClientCertificateCredential creates an instance of ClientCertificateCredential with the details needed to authenticate against Azure Active Directory with the specified certificate. tenantID: The Azure Active Directory tenant (directory) ID of the service principal. clientID: The client (application) ID of the service principal. clientCertificate: The path to the client certificate used to authenticate the client. Supported formats are PEM and PFX. password: The password required to decrypt the private key. Pass nil if there is no password. options: configure the management of the requests sent to Azure Active Directory.

func (*ClientCertificateCredential) AuthenticationPolicy ¶

func (c *ClientCertificateCredential) AuthenticationPolicy(options azcore.AuthenticationPolicyOptions) azcore.Policy

AuthenticationPolicy implements the azcore.Credential interface on ClientSecretCredential.

func (*ClientCertificateCredential) GetToken ¶

func (c *ClientCertificateCredential) GetToken(ctx context.Context, opts azcore.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory, using the certificate in the file path. scopes: The list of scopes for which the token will have access. ctx: controlling the request lifetime. Returns an AccessToken which can be used to authenticate service client calls.

type ClientSecretCredential ¶

type ClientSecretCredential struct {
	// contains filtered or unexported fields
}

ClientSecretCredential enables authentication to Azure Active Directory using a client secret that was generated for an App Registration. More information on how to configure a client secret can be found here: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-credentials-to-your-web-application

func NewClientSecretCredential ¶

func NewClientSecretCredential(tenantID string, clientID string, clientSecret string, options *TokenCredentialOptions) (*ClientSecretCredential, error)

NewClientSecretCredential constructs a new ClientSecretCredential with the details needed to authenticate against Azure Active Directory with a client secret. tenantID: The Azure Active Directory tenant (directory) ID of the service principal. clientID: The client (application) ID of the service principal. clientSecret: A client secret that was generated for the App Registration used to authenticate the client. options: allow to configure the management of the requests sent to Azure Active Directory.

func (*ClientSecretCredential) AuthenticationPolicy ¶

func (c *ClientSecretCredential) AuthenticationPolicy(options azcore.AuthenticationPolicyOptions) azcore.Policy

AuthenticationPolicy implements the azcore.Credential interface on ClientSecretCredential and calls the Bearer Token policy to get the bearer token.

func (*ClientSecretCredential) GetToken ¶

func (c *ClientSecretCredential) GetToken(ctx context.Context, opts azcore.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory, using the specified client secret to authenticate. ctx: Context used to control the request lifetime. opts: TokenRequestOptions contains the list of scopes for which the token will have access. Returns an AccessToken which can be used to authenticate service client calls.

type CredentialUnavailableError ¶

type CredentialUnavailableError struct {
	// CredentialType holds the name of the credential that is unavailable
	CredentialType string
	// Message contains the reason why the credential is unavailable
	Message string
}

CredentialUnavailableError is the error type returned when the conditions required to create a credential do not exist or are unavailable.

func (*CredentialUnavailableError) Error ¶

func (e *CredentialUnavailableError) Error() string

func (*CredentialUnavailableError) NonRetriable ¶

func (e *CredentialUnavailableError) NonRetriable()

NonRetriable indicates that this error should not be retried.

type DefaultAzureCredentialOptions ¶

type DefaultAzureCredentialOptions struct {
	// set this field to true in order to exclude the AzureCLICredential from the set of
	// credentials that will be used to authenticate with
	ExcludeAzureCLICredential bool
	// set this field to true in order to exclude the EnvironmentCredential from the set of
	// credentials that will be used to authenticate with
	ExcludeEnvironmentCredential bool
	// set this field to true in order to exclude the ManagedIdentityCredential from the set of
	// credentials that will be used to authenticate with
	ExcludeMSICredential bool
}

DefaultAzureCredentialOptions contains options for configuring how credentials are acquired.

type DeviceCodeCredential ¶

type DeviceCodeCredential struct {
	// contains filtered or unexported fields
}

DeviceCodeCredential authenticates a user using the device code flow, and provides access tokens for that user account. For more information on the device code authentication flow see: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-device-code.

func NewDeviceCodeCredential ¶

func NewDeviceCodeCredential(tenantID string, clientID string, callback func(string), options *TokenCredentialOptions) (*DeviceCodeCredential, error)

NewDeviceCodeCredential constructs a new DeviceCodeCredential used to authenticate against Azure Active Directory with a device code. tenantID: The Azure Active Directory tenant (directory) ID of the service principal. If none is set then the default value ("organizations") will be used in place of the tenantID. clientID: The client (application) ID of the service principal. callback: The callback function used to send the login message back to the user options: Options used to configure the management of the requests sent to Azure Active Directory.

func (*DeviceCodeCredential) AuthenticationPolicy ¶

func (c *DeviceCodeCredential) AuthenticationPolicy(options azcore.AuthenticationPolicyOptions) azcore.Policy

AuthenticationPolicy implements the azcore.Credential interface on ClientSecretCredential.

func (*DeviceCodeCredential) GetToken ¶

func (c *DeviceCodeCredential) GetToken(ctx context.Context, opts azcore.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory, following the device code authentication flow. This function first requests a device code and requests that the user login before continuing to authenticate the device. This function will keep polling the service for a token until the user logs in. scopes: The list of scopes for which the token will have access. The "offline_access" scope is checked for and automatically added in case it isn't present to allow for silent token refresh. ctx: The context for controlling the request lifetime. Returns an AccessToken which can be used to authenticate service client calls.

type EnvironmentCredential ¶

type EnvironmentCredential struct {
	// contains filtered or unexported fields
}

EnvironmentCredential enables authentication to Azure Active Directory using either ClientSecretCredential, ClientCertificateCredential or UsernamePasswordCredential. This credential type will check for the following environment variables in the same order as listed: - AZURE_TENANT_ID - AZURE_CLIENT_ID - AZURE_CLIENT_SECRET - AZURE_CLIENT_CERTIFICATE_PATH - AZURE_USERNAME - AZURE_PASSWORD NOTE: EnvironmentCredential will stop checking environment variables as soon as it finds enough environment variables to create a credential type.

func NewEnvironmentCredential ¶

func NewEnvironmentCredential(options *TokenCredentialOptions) (*EnvironmentCredential, error)

NewEnvironmentCredential creates an instance that implements the azcore.TokenCredential interface and reads credential details from environment variables. If the expected environment variables are not found at this time, then a CredentialUnavailableError will be returned. options: The options used to configure the management of the requests sent to Azure Active Directory.

func (*EnvironmentCredential) AuthenticationPolicy ¶

func (c *EnvironmentCredential) AuthenticationPolicy(options azcore.AuthenticationPolicyOptions) azcore.Policy

AuthenticationPolicy implements the azcore.Credential interface on EnvironmentCredential and calls the Bearer Token policy to get the bearer token.

func (*EnvironmentCredential) GetToken ¶

func (c *EnvironmentCredential) GetToken(ctx context.Context, opts azcore.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory, using the underlying credential's GetToken method. ctx: Context used to control the request lifetime. opts: TokenRequestOptions contains the list of scopes for which the token will have access. Returns an AccessToken which can be used to authenticate service client calls.

type InteractiveBrowserCredential ¶

type InteractiveBrowserCredential struct {
	// contains filtered or unexported fields
}

InteractiveBrowserCredential enables authentication to Azure Active Directory using an interactive browser to log in.

func NewInteractiveBrowserCredential ¶

func NewInteractiveBrowserCredential(options *InteractiveBrowserCredentialOptions) (*InteractiveBrowserCredential, error)

NewInteractiveBrowserCredential constructs a new InteractiveBrowserCredential with the details needed to authenticate against Azure Active Directory through an interactive browser window. options: allow to configure the management of the requests sent to Azure Active Directory, pass in nil for default behavior.

func (*InteractiveBrowserCredential) AuthenticationPolicy ¶

func (c *InteractiveBrowserCredential) AuthenticationPolicy(options azcore.AuthenticationPolicyOptions) azcore.Policy

AuthenticationPolicy implements the azcore.Credential interface on InteractiveBrowserCredential and calls the Bearer Token policy to get the bearer token.

func (*InteractiveBrowserCredential) GetToken ¶

func (c *InteractiveBrowserCredential) GetToken(ctx context.Context, opts azcore.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory using an interactive browser to authenticate. ctx: Context used to control the request lifetime. opts: TokenRequestOptions contains the list of scopes for which the token will have access. Returns an AccessToken which can be used to authenticate service client calls.

type InteractiveBrowserCredentialOptions ¶

type InteractiveBrowserCredentialOptions struct {
	// The Azure Active Directory tenant (directory) ID of the service principal.
	TenantID string
	// The client (application) ID of the service principal.
	ClientID string
	// The client secret that was generated for the App Registration used to authenticate the client. Only applies for web apps.
	ClientSecret *string
	// The redirect URI used to request the authorization code. Must be the same URI that is configured for the App Registration.
	RedirectURI *string
	// Options allows configuring the management of the requests sent to Azure Active Directory.
	Options *TokenCredentialOptions
}

InteractiveBrowserCredentialOptions can be used when providing additional credential information, such as a client secret. Also use these options to modify the default pipeline behavior through the TokenCredentialOptions.

func DefaultInteractiveBrowserCredentialOptions ¶

func DefaultInteractiveBrowserCredentialOptions() InteractiveBrowserCredentialOptions

DefaultInteractiveBrowserCredentialOptions use this function to get the default values for logging in with an interactive browser window.

type ManagedIdentityCredential ¶

type ManagedIdentityCredential struct {
	// contains filtered or unexported fields
}

ManagedIdentityCredential attempts authentication using a managed identity that has been assigned to the deployment environment. This authentication type works in several managed identity environments such as Azure VMs, App Service, Azure Functions, Azure CloudShell, among others. More information about configuring managed identities can be found here: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

func NewManagedIdentityCredential ¶

func NewManagedIdentityCredential(clientID string, options *ManagedIdentityCredentialOptions) (*ManagedIdentityCredential, error)

NewManagedIdentityCredential creates an instance of the ManagedIdentityCredential capable of authenticating a resource that has a managed identity. clientID: The client ID to authenticate for a user assigned managed identity. options: ManagedIdentityCredentialOptions that configure the pipeline for requests sent to Azure Active Directory. More information on user assigned managed identities cam be found here: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview#how-a-user-assigned-managed-identity-works-with-an-azure-vm

func (*ManagedIdentityCredential) AuthenticationPolicy ¶

func (c *ManagedIdentityCredential) AuthenticationPolicy(options azcore.AuthenticationPolicyOptions) azcore.Policy

AuthenticationPolicy implements the azcore.Credential interface on ManagedIdentityCredential. Please note: the TokenRequestOptions included in AuthenticationPolicyOptions must be a slice of resources in this case and not scopes

func (*ManagedIdentityCredential) GetToken ¶

func (c *ManagedIdentityCredential) GetToken(ctx context.Context, opts azcore.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains an AccessToken from the Managed Identity service if available. scopes: The list of scopes for which the token will have access. Returns an AccessToken which can be used to authenticate service client calls.

type ManagedIdentityCredentialOptions ¶

type ManagedIdentityCredentialOptions struct {
	// HTTPClient sets the transport for making HTTP requests.
	// Leave this as nil to use the default HTTP transport.
	HTTPClient azcore.Transport

	// Telemetry configures the built-in telemetry policy behavior.
	Telemetry azcore.TelemetryOptions
}

ManagedIdentityCredentialOptions contains parameters that can be used to configure the pipeline used with Managed Identity Credential.

type TokenCredentialOptions ¶

type TokenCredentialOptions struct {
	// The host of the Azure Active Directory authority. The default is https://login.microsoft.com
	AuthorityHost string

	// HTTPClient sets the transport for making HTTP requests
	// Leave this as nil to use the default HTTP transport
	HTTPClient azcore.Transport

	// Retry configures the built-in retry policy behavior
	Retry *azcore.RetryOptions

	// Telemetry configures the built-in telemetry policy behavior
	Telemetry azcore.TelemetryOptions
}

TokenCredentialOptions are used to configure how requests are made to Azure Active Directory.

type UsernamePasswordCredential ¶

type UsernamePasswordCredential struct {
	// contains filtered or unexported fields
}

UsernamePasswordCredential enables authentication to Azure Active Directory using a user's username and password. If the user has MFA enabled this credential will fail to get a token returning an AuthenticationFailureError. Also, this credential requires a high degree of trust and is not recommended outside of prototyping when more secure credentials can be used.

func NewUsernamePasswordCredential ¶

func NewUsernamePasswordCredential(tenantID string, clientID string, username string, password string, options *TokenCredentialOptions) (*UsernamePasswordCredential, error)

NewUsernamePasswordCredential constructs a new UsernamePasswordCredential with the details needed to authenticate against Azure Active Directory with a simple username and password. tenantID: The Azure Active Directory tenant (directory) ID of the service principal. clientID: The client (application) ID of the service principal. username: A user's account username password: A user's account password options: TokenCredentialOptions used to configure the pipeline for the requests sent to Azure Active Directory.

func (*UsernamePasswordCredential) AuthenticationPolicy ¶

func (c *UsernamePasswordCredential) AuthenticationPolicy(options azcore.AuthenticationPolicyOptions) azcore.Policy

AuthenticationPolicy implements the azcore.Credential interface on UsernamePasswordCredential.

func (*UsernamePasswordCredential) GetToken ¶

func (c *UsernamePasswordCredential) GetToken(ctx context.Context, opts azcore.TokenRequestOptions) (*azcore.AccessToken, error)

GetToken obtains a token from Azure Active Directory using the specified username and password. scopes: The list of scopes for which the token will have access. ctx: The context used to control the request lifetime. Returns an AccessToken which can be used to authenticate service client calls.

Source Files ¶

aad_identity_client.go azidentity.go azure_cli_credential.go bearer_token_policy.go chained_token_credential.go client_certificate_credential.go client_secret_credential.go default_azure_credential.go device_code_credential.go environment_credential.go fingerprint.go interactive_browser_credential.go interactive_browser_server.go jwt.go logging.go managed_identity_client.go managed_identity_credential.go username_password_credential.go

Version: v0.2.1
Published: Oct 6, 2020
Platform: windows/amd64
Imports: 30 packages
Last checked: 3 minutes ago –

Tools for package owners.

?	: This menu
/	: Search site
f	: Jump to identifier
g then g	: Go to top of page
g then b	: Go to end of page
G	: Go to end of page
g then i	: Go to index
g then e	: Go to examples