azidentity – github.com/Azure/azure-sdk-for-go/sdk/azidentity Index | Examples | Files

package azidentity

import "github.com/Azure/azure-sdk-for-go/sdk/azidentity"

Index

Examples

Constants 

const EventAuthentication log.Event = "Authentication"

EventAuthentication entries contain information about authentication. This includes information like the names of environment variables used when obtaining credentials and the type of credential used.

Functions

func ParseCertificates 

func ParseCertificates(certData []byte, password []byte) ([]*x509.Certificate, crypto.PrivateKey, error)

ParseCertificates loads certificates and a private key, in PEM or PKCS12 format, for use with NewClientCertificateCredential. Pass nil for password if the private key isn't encrypted. This function can't decrypt keys in PEM format.

Types

type AuthenticationFailedError 

type AuthenticationFailedError struct {
	// RawResponse is the HTTP response motivating the error, if available.
	RawResponse *http.Response
	// contains filtered or unexported fields
}

AuthenticationFailedError indicates an authentication request has failed.

func (*AuthenticationFailedError) Error 

func (e *AuthenticationFailedError) Error() string

Error implements the error interface. Note that the message contents are not contractual and can change over time.

func (*AuthenticationFailedError) NonRetriable 

func (*AuthenticationFailedError) NonRetriable()

NonRetriable indicates the request which provoked this error shouldn't be retried.

type AzureCLICredential 

type AzureCLICredential struct {
	// contains filtered or unexported fields
}

AzureCLICredential authenticates as the identity logged in to the Azure CLI.

func NewAzureCLICredential 

func NewAzureCLICredential(options *AzureCLICredentialOptions) (*AzureCLICredential, error)

NewAzureCLICredential constructs an AzureCLICredential. Pass nil to accept default options.

func (*AzureCLICredential) GetToken 

func (c *AzureCLICredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken requests a token from the Azure CLI. This credential doesn't cache tokens, so every call invokes the CLI. This method is called automatically by Azure SDK clients.

type AzureCLICredentialOptions 

type AzureCLICredentialOptions struct {
	// TenantID identifies the tenant the credential should authenticate in.
	// Defaults to the CLI's default tenant, which is typically the home tenant of the logged in user.
	TenantID string
	// contains filtered or unexported fields
}

AzureCLICredentialOptions contains optional parameters for AzureCLICredential.

type ChainedTokenCredential 

type ChainedTokenCredential struct {
	// contains filtered or unexported fields
}

ChainedTokenCredential links together multiple credentials and tries them sequentially when authenticating. By default, it tries all the credentials until one authenticates, after which it always uses that credential.

func NewChainedTokenCredential 

func NewChainedTokenCredential(sources []azcore.TokenCredential, options *ChainedTokenCredentialOptions) (*ChainedTokenCredential, error)

NewChainedTokenCredential creates a ChainedTokenCredential. Pass nil for options to accept defaults.

func (*ChainedTokenCredential) GetToken 

func (c *ChainedTokenCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken calls GetToken on the chained credentials in turn, stopping when one returns a token. This method is called automatically by Azure SDK clients.

type ChainedTokenCredentialOptions 

type ChainedTokenCredentialOptions struct {
	// RetrySources configures how the credential uses its sources. When true, the credential always attempts to
	// authenticate through each source in turn, stopping when one succeeds. When false, the credential authenticates
	// only through this first successful source--it never again tries the sources which failed.
	RetrySources bool
}

ChainedTokenCredentialOptions contains optional parameters for ChainedTokenCredential.

type ClientAssertionCredential 

type ClientAssertionCredential struct {
	// contains filtered or unexported fields
}

ClientAssertionCredential authenticates an application with assertions provided by a callback function. This credential is for advanced scenarios. ClientCertificateCredential has a more convenient API for the most common assertion scenario, authenticating a service principal with a certificate. See Azure AD documentation for details of the assertion format.

func NewClientAssertionCredential 

func NewClientAssertionCredential(tenantID, clientID string, getAssertion func(context.Context) (string, error), options *ClientAssertionCredentialOptions) (*ClientAssertionCredential, error)

NewClientAssertionCredential constructs a ClientAssertionCredential. The getAssertion function must be thread safe. Pass nil for options to accept defaults.

func (*ClientAssertionCredential) GetToken 

func (c *ClientAssertionCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.

type ClientAssertionCredentialOptions 

type ClientAssertionCredentialOptions struct {
	azcore.ClientOptions
}

ClientAssertionCredentialOptions contains optional parameters for ClientAssertionCredential.

type ClientCertificateCredential 

type ClientCertificateCredential struct {
	// contains filtered or unexported fields
}

ClientCertificateCredential authenticates a service principal with a certificate.

func NewClientCertificateCredential 

func NewClientCertificateCredential(tenantID string, clientID string, certs []*x509.Certificate, key crypto.PrivateKey, options *ClientCertificateCredentialOptions) (*ClientCertificateCredential, error)

NewClientCertificateCredential constructs a ClientCertificateCredential. Pass nil for options to accept defaults.

Example

Code: 

{
	data, err := os.ReadFile(certPath)
	handleError(err)

	// NewClientCertificateCredential requires at least one *x509.Certificate, and a crypto.PrivateKey.
	// ParseCertificates returns these given certificate data in PEM or PKCS12 format. It handles common scenarios
	// but has limitations, for example it doesn't load PEM encrypted private keys.
	certs, key, err := azidentity.ParseCertificates(data, nil)
	handleError(err)

	cred, err = azidentity.NewClientCertificateCredential(tenantID, clientID, certs, key, nil)
	handleError(err)

	// Output:
}

func (*ClientCertificateCredential) GetToken 

func (c *ClientCertificateCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.

type ClientCertificateCredentialOptions 

type ClientCertificateCredentialOptions struct {
	azcore.ClientOptions

	// SendCertificateChain controls whether the credential sends the public certificate chain in the x5c
	// header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication.
	// Defaults to False.
	SendCertificateChain bool
}

ClientCertificateCredentialOptions contains optional parameters for ClientCertificateCredential.

type ClientID 

type ClientID string

ClientID is the client ID of a user-assigned managed identity.

func (ClientID) String 

func (c ClientID) String() string

String returns the string value of the ID.

type ClientSecretCredential 

type ClientSecretCredential struct {
	// contains filtered or unexported fields
}

ClientSecretCredential authenticates an application with a client secret.

func NewClientSecretCredential 

func NewClientSecretCredential(tenantID string, clientID string, clientSecret string, options *ClientSecretCredentialOptions) (*ClientSecretCredential, error)

NewClientSecretCredential constructs a ClientSecretCredential. Pass nil for options to accept defaults.

func (*ClientSecretCredential) GetToken 

func (c *ClientSecretCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.

type ClientSecretCredentialOptions 

type ClientSecretCredentialOptions struct {
	azcore.ClientOptions
}

ClientSecretCredentialOptions contains optional parameters for ClientSecretCredential.

type DefaultAzureCredential 

type DefaultAzureCredential struct {
	// contains filtered or unexported fields
}

DefaultAzureCredential is a default credential chain for applications that will deploy to Azure. It combines credentials suitable for deployment with credentials suitable for local development. It attempts to authenticate with each of these credential types, in the following order, stopping when one provides a token:

Consult the documentation for these credential types for more information on how they authenticate. Once a credential has successfully authenticated, DefaultAzureCredential will use that credential for every subsequent authentication.

func NewDefaultAzureCredential 

func NewDefaultAzureCredential(options *DefaultAzureCredentialOptions) (*DefaultAzureCredential, error)

NewDefaultAzureCredential creates a DefaultAzureCredential. Pass nil for options to accept defaults.

func (*DefaultAzureCredential) GetToken 

func (c *DefaultAzureCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.

type DefaultAzureCredentialOptions 

type DefaultAzureCredentialOptions struct {
	azcore.ClientOptions

	// TenantID identifies the tenant the Azure CLI should authenticate in.
	// Defaults to the CLI's default tenant, which is typically the home tenant of the user logged in to the CLI.
	TenantID string
}

DefaultAzureCredentialOptions contains optional parameters for DefaultAzureCredential. These options may not apply to all credentials in the chain.

type DeviceCodeCredential 

type DeviceCodeCredential struct {
	// contains filtered or unexported fields
}

DeviceCodeCredential acquires tokens for a user via the device code flow, which has the user browse to an Azure Active Directory URL, enter a code, and authenticate. It's useful for authenticating a user in an environment without a web browser, such as an SSH session. If a web browser is available, InteractiveBrowserCredential is more convenient because it automatically opens a browser to the login page.

func NewDeviceCodeCredential 

func NewDeviceCodeCredential(options *DeviceCodeCredentialOptions) (*DeviceCodeCredential, error)

NewDeviceCodeCredential creates a DeviceCodeCredential. Pass nil to accept default options.

func (*DeviceCodeCredential) GetToken 

func (c *DeviceCodeCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken requests an access token from Azure Active Directory. It will begin the device code flow and poll until the user completes authentication. This method is called automatically by Azure SDK clients.

type DeviceCodeCredentialOptions 

type DeviceCodeCredentialOptions struct {
	azcore.ClientOptions

	// TenantID is the Azure Active Directory tenant the credential authenticates in. Defaults to the
	// "organizations" tenant, which can authenticate work and school accounts. Required for single-tenant
	// applications.
	TenantID string
	// ClientID is the ID of the application users will authenticate to.
	// Defaults to the ID of an Azure development application.
	ClientID string
	// UserPrompt controls how the credential presents authentication instructions. The credential calls
	// this function with authentication details when it receives a device code. By default, the credential
	// prints these details to stdout.
	UserPrompt func(context.Context, DeviceCodeMessage) error
}

DeviceCodeCredentialOptions contains optional parameters for DeviceCodeCredential.

type DeviceCodeMessage 

type DeviceCodeMessage struct {
	// UserCode is the user code returned by the service.
	UserCode string `json:"user_code"`
	// VerificationURL is the URL at which the user must authenticate.
	VerificationURL string `json:"verification_uri"`
	// Message is user instruction from Azure Active Directory.
	Message string `json:"message"`
}

DeviceCodeMessage contains the information a user needs to complete authentication.

type EnvironmentCredential 

type EnvironmentCredential struct {
	// contains filtered or unexported fields
}

EnvironmentCredential authenticates a service principal with a secret or certificate, or a user with a password, depending on environment variable configuration. It reads configuration from these variables, in the following order:

Service principal with client secret

AZURE_TENANT_ID: ID of the service principal's tenant. Also called its "directory" ID.

AZURE_CLIENT_ID: the service principal's client ID

AZURE_CLIENT_SECRET: one of the service principal's client secrets

Service principal with certificate

AZURE_TENANT_ID: ID of the service principal's tenant. Also called its "directory" ID.

AZURE_CLIENT_ID: the service principal's client ID

AZURE_CLIENT_CERTIFICATE_PATH: path to a PEM or PKCS12 certificate file including the private key.

AZURE_CLIENT_CERTIFICATE_PASSWORD: (optional) password for the certificate file.

User with username and password

AZURE_TENANT_ID: (optional) tenant to authenticate in. Defaults to "organizations".

AZURE_CLIENT_ID: client ID of the application the user will authenticate to

AZURE_USERNAME: a username (usually an email address)

AZURE_PASSWORD: the user's password

func NewEnvironmentCredential 

func NewEnvironmentCredential(options *EnvironmentCredentialOptions) (*EnvironmentCredential, error)

NewEnvironmentCredential creates an EnvironmentCredential. Pass nil to accept default options.

func (*EnvironmentCredential) GetToken 

func (c *EnvironmentCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.

type EnvironmentCredentialOptions 

type EnvironmentCredentialOptions struct {
	azcore.ClientOptions
}

EnvironmentCredentialOptions contains optional parameters for EnvironmentCredential

type InteractiveBrowserCredential 

type InteractiveBrowserCredential struct {
	// contains filtered or unexported fields
}

InteractiveBrowserCredential opens a browser to interactively authenticate a user.

func NewInteractiveBrowserCredential 

func NewInteractiveBrowserCredential(options *InteractiveBrowserCredentialOptions) (*InteractiveBrowserCredential, error)

NewInteractiveBrowserCredential constructs a new InteractiveBrowserCredential. Pass nil to accept default options.

func (*InteractiveBrowserCredential) GetToken 

func (c *InteractiveBrowserCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.

type InteractiveBrowserCredentialOptions 

type InteractiveBrowserCredentialOptions struct {
	azcore.ClientOptions

	// TenantID is the Azure Active Directory tenant the credential authenticates in. Defaults to the
	// "organizations" tenant, which can authenticate work and school accounts.
	TenantID string
	// ClientID is the ID of the application users will authenticate to.
	// Defaults to the ID of an Azure development application.
	ClientID string
	// RedirectURL will be supported in a future version but presently doesn't work: https://github.com/Azure/azure-sdk-for-go/issues/15632.
	// Applications which have "http://localhost" registered as a redirect URL need not set this option.
	RedirectURL string
}

InteractiveBrowserCredentialOptions contains optional parameters for InteractiveBrowserCredential.

type ManagedIDKind 

type ManagedIDKind interface {
	fmt.Stringer
	// contains filtered or unexported methods
}

ManagedIDKind identifies the ID of a managed identity as either a client or resource ID

type ManagedIdentityCredential 

type ManagedIdentityCredential struct {
	// contains filtered or unexported fields
}

ManagedIdentityCredential authenticates an Azure managed identity in any hosting environment supporting managed identities. This credential authenticates a system-assigned identity by default. Use ManagedIdentityCredentialOptions.ID to specify a user-assigned identity. See Azure Active Directory documentation for more information about managed identities: https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview

func NewManagedIdentityCredential 

func NewManagedIdentityCredential(options *ManagedIdentityCredentialOptions) (*ManagedIdentityCredential, error)

NewManagedIdentityCredential creates a ManagedIdentityCredential. Pass nil to accept default options.

Example (UserAssigned)

Code: 

{
	// select a user assigned identity with its client ID...
	clientID := azidentity.ClientID("abcd1234-...")
	opts := azidentity.ManagedIdentityCredentialOptions{ID: clientID}
	cred, err = azidentity.NewManagedIdentityCredential(&opts)
	handleError(err)

	// ...or its resource ID
	resourceID := azidentity.ResourceID("/subscriptions/...")
	opts = azidentity.ManagedIdentityCredentialOptions{ID: resourceID}
	cred, err = azidentity.NewManagedIdentityCredential(&opts)
	handleError(err)
}

func (*ManagedIdentityCredential) GetToken 

func (c *ManagedIdentityCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken requests an access token from the hosting environment. This method is called automatically by Azure SDK clients.

type ManagedIdentityCredentialOptions 

type ManagedIdentityCredentialOptions struct {
	azcore.ClientOptions

	// ID is the ID of a managed identity the credential should authenticate. Set this field to use a specific identity
	// instead of the hosting environment's default. The value may be the identity's client ID or resource ID, but note that
	// some platforms don't accept resource IDs.
	ID ManagedIDKind
}

ManagedIdentityCredentialOptions contains optional parameters for ManagedIdentityCredential.

type ResourceID 

type ResourceID string

ResourceID is the resource ID of a user-assigned managed identity.

func (ResourceID) String 

func (r ResourceID) String() string

String returns the string value of the ID.

type UsernamePasswordCredential 

type UsernamePasswordCredential struct {
	// contains filtered or unexported fields
}

UsernamePasswordCredential authenticates a user with a password. Microsoft doesn't recommend this kind of authentication, because it's less secure than other authentication flows. This credential is not interactive, so it isn't compatible with any form of multi-factor authentication, and the application must already have user or admin consent. This credential can only authenticate work and school accounts; it can't authenticate Microsoft accounts.

func NewUsernamePasswordCredential 

func NewUsernamePasswordCredential(tenantID string, clientID string, username string, password string, options *UsernamePasswordCredentialOptions) (*UsernamePasswordCredential, error)

NewUsernamePasswordCredential creates a UsernamePasswordCredential. clientID is the ID of the application the user will authenticate to. Pass nil for options to accept defaults.

func (*UsernamePasswordCredential) GetToken 

func (c *UsernamePasswordCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken requests an access token from Azure Active Directory. This method is called automatically by Azure SDK clients.

type UsernamePasswordCredentialOptions 

type UsernamePasswordCredentialOptions struct {
	azcore.ClientOptions
}

UsernamePasswordCredentialOptions contains optional parameters for UsernamePasswordCredential.

type WorkloadIdentityCredential 

type WorkloadIdentityCredential struct {
	// contains filtered or unexported fields
}

WorkloadIdentityCredential supports Azure workload identity on Kubernetes. See AKS documentation for more information.

func NewWorkloadIdentityCredential 

func NewWorkloadIdentityCredential(tenantID, clientID, file string, options *WorkloadIdentityCredentialOptions) (*WorkloadIdentityCredential, error)

NewWorkloadIdentityCredential constructs a WorkloadIdentityCredential. tenantID and clientID specify the identity the credential authenticates. file is a path to a file containing a Kubernetes service account token that authenticates the identity.

func (*WorkloadIdentityCredential) GetToken 

func (w *WorkloadIdentityCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error)

GetToken requests an access token from Azure Active Directory. Azure SDK clients call this method automatically.

type WorkloadIdentityCredentialOptions 

type WorkloadIdentityCredentialOptions struct {
	azcore.ClientOptions
}

WorkloadIdentityCredentialOptions contains optional parameters for WorkloadIdentityCredential.

Source Files

azidentity.go azure_cli_credential.go chained_token_credential.go client_assertion_credential.go client_certificate_credential.go client_secret_credential.go default_azure_credential.go device_code_credential.go environment_credential.go errors.go interactive_browser_credential.go logging.go managed_identity_client.go managed_identity_credential.go username_password_credential.go version.go workload_identity.go

Version
v1.3.0-beta.1
Published
Dec 12, 2022
Platform
windows/amd64
Imports
30 packages
Last checked
26 minutes ago

Tools for package owners.