azure-identity-java

仓库: sickn33/antigravity-awesome-skills
安装量: 46
排名: #16096

安装

npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill azure-identity-java

Azure Identity (Java) Authenticate Java applications with Azure services using Microsoft Entra ID (Azure AD). Installation < dependency

< groupId

com.azure </ groupId

< artifactId

azure-identity </ artifactId

< version

1.15.0 </ version

</ dependency

Key Concepts Credential Use Case DefaultAzureCredential Recommended - Works in dev and production ManagedIdentityCredential Azure-hosted apps (App Service, Functions, VMs) EnvironmentCredential CI/CD pipelines with env vars ClientSecretCredential Service principals with secret ClientCertificateCredential Service principals with certificate AzureCliCredential Local dev using az login InteractiveBrowserCredential Interactive login flow DeviceCodeCredential Headless device authentication DefaultAzureCredential (Recommended) The DefaultAzureCredential tries multiple authentication methods in order: Environment variables Workload Identity Managed Identity Azure CLI Azure PowerShell Azure Developer CLI import com . azure . identity . DefaultAzureCredential ; import com . azure . identity . DefaultAzureCredentialBuilder ; // Simple usage DefaultAzureCredential credential = new DefaultAzureCredentialBuilder ( ) . build ( ) ; // Use with any Azure client BlobServiceClient blobClient = new BlobServiceClientBuilder ( ) . endpoint ( "https://.blob.core.windows.net" ) . credential ( credential ) . buildClient ( ) ; KeyClient keyClient = new KeyClientBuilder ( ) . vaultUrl ( "https://.vault.azure.net" ) . credential ( credential ) . buildClient ( ) ; Configure DefaultAzureCredential DefaultAzureCredential credential = new DefaultAzureCredentialBuilder ( ) . managedIdentityClientId ( "" ) // For user-assigned MI . tenantId ( "" ) // Limit to specific tenant . excludeEnvironmentCredential ( ) // Skip env vars . excludeAzureCliCredential ( ) // Skip Azure CLI . build ( ) ; Managed Identity For Azure-hosted applications (App Service, Functions, AKS, VMs). import com . azure . identity . ManagedIdentityCredential ; import com . azure . identity . ManagedIdentityCredentialBuilder ; // System-assigned managed identity ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder ( ) . build ( ) ; // User-assigned managed identity (by client ID) ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder ( ) . clientId ( "" ) . build ( ) ; // User-assigned managed identity (by resource ID) ManagedIdentityCredential credential = new ManagedIdentityCredentialBuilder ( ) . resourceId ( "/subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/" ) . build ( ) ; Service Principal with Secret import com . azure . identity . ClientSecretCredential ; import com . azure . identity . ClientSecretCredentialBuilder ; ClientSecretCredential credential = new ClientSecretCredentialBuilder ( ) . tenantId ( "" ) . clientId ( "" ) . clientSecret ( "" ) . build ( ) ; Service Principal with Certificate import com . azure . identity . ClientCertificateCredential ; import com . azure . identity . ClientCertificateCredentialBuilder ; // From PEM file ClientCertificateCredential credential = new ClientCertificateCredentialBuilder ( ) . tenantId ( "" ) . clientId ( "" ) . pemCertificate ( "" ) . build ( ) ; // From PFX file with password ClientCertificateCredential credential = new ClientCertificateCredentialBuilder ( ) . tenantId ( "" ) . clientId ( "" ) . pfxCertificate ( "" , "" ) . build ( ) ; // Send certificate chain for SNI ClientCertificateCredential credential = new ClientCertificateCredentialBuilder ( ) . tenantId ( "" ) . clientId ( "" ) . pemCertificate ( "" ) . sendCertificateChain ( true ) . build ( ) ; Environment Credential Reads credentials from environment variables. import com . azure . identity . EnvironmentCredential ; import com . azure . identity . EnvironmentCredentialBuilder ; EnvironmentCredential credential = new EnvironmentCredentialBuilder ( ) . build ( ) ; Required Environment Variables For service principal with secret: AZURE_TENANT_ID = < tenant-id

AZURE_CLIENT_ID

< client-id

AZURE_CLIENT_SECRET

< client-secret

For service principal with certificate: AZURE_TENANT_ID = < tenant-id

AZURE_CLIENT_ID

< client-id

AZURE_CLIENT_CERTIFICATE_PATH

/path/to/cert.pem AZURE_CLIENT_CERTIFICATE_PASSWORD = < optional-password

For username/password: AZURE_TENANT_ID = < tenant-id

AZURE_CLIENT_ID

< client-id

AZURE_USERNAME

< username

AZURE_PASSWORD

< password

Azure CLI Credential For local development using az login . import com . azure . identity . AzureCliCredential ; import com . azure . identity . AzureCliCredentialBuilder ; AzureCliCredential credential = new AzureCliCredentialBuilder ( ) . tenantId ( "" ) // Optional: specific tenant . build ( ) ; Interactive Browser For desktop applications requiring user login. import com . azure . identity . InteractiveBrowserCredential ; import com . azure . identity . InteractiveBrowserCredentialBuilder ; InteractiveBrowserCredential credential = new InteractiveBrowserCredentialBuilder ( ) . clientId ( "" ) . redirectUrl ( "http://localhost:8080" ) // Must match app registration . build ( ) ; Device Code For headless devices (IoT, CLI tools). import com . azure . identity . DeviceCodeCredential ; import com . azure . identity . DeviceCodeCredentialBuilder ; DeviceCodeCredential credential = new DeviceCodeCredentialBuilder ( ) . clientId ( "" ) . challengeConsumer ( challenge -> { // Display to user System . out . println ( challenge . getMessage ( ) ) ; } ) . build ( ) ; Chained Credential Create custom authentication chains. import com . azure . identity . ChainedTokenCredential ; import com . azure . identity . ChainedTokenCredentialBuilder ; ChainedTokenCredential credential = new ChainedTokenCredentialBuilder ( ) . addFirst ( new ManagedIdentityCredentialBuilder ( ) . build ( ) ) . addLast ( new AzureCliCredentialBuilder ( ) . build ( ) ) . build ( ) ; Workload Identity (AKS) For Azure Kubernetes Service with workload identity. import com . azure . identity . WorkloadIdentityCredential ; import com . azure . identity . WorkloadIdentityCredentialBuilder ; // Reads from AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE WorkloadIdentityCredential credential = new WorkloadIdentityCredentialBuilder ( ) . build ( ) ; // Or explicit configuration WorkloadIdentityCredential credential = new WorkloadIdentityCredentialBuilder ( ) . tenantId ( "" ) . clientId ( "" ) . tokenFilePath ( "/var/run/secrets/azure/tokens/azure-identity-token" ) . build ( ) ; Token Caching Enable persistent token caching for better performance. // Enable token caching (in-memory by default) DefaultAzureCredential credential = new DefaultAzureCredentialBuilder ( ) . enableAccountIdentifierLogging ( ) . build ( ) ; // With shared token cache (for multi-credential scenarios) SharedTokenCacheCredential credential = new SharedTokenCacheCredentialBuilder ( ) . clientId ( "" ) . build ( ) ; Sovereign Clouds import com . azure . identity . AzureAuthorityHosts ; // Azure Government DefaultAzureCredential govCredential = new DefaultAzureCredentialBuilder ( ) . authorityHost ( AzureAuthorityHosts . AZURE_GOVERNMENT ) . build ( ) ; // Azure China DefaultAzureCredential chinaCredential = new DefaultAzureCredentialBuilder ( ) . authorityHost ( AzureAuthorityHosts . AZURE_CHINA ) . build ( ) ; Error Handling import com . azure . identity . CredentialUnavailableException ; import com . azure . core . exception . ClientAuthenticationException ; try { DefaultAzureCredential credential = new DefaultAzureCredentialBuilder ( ) . build ( ) ; AccessToken token = credential . getToken ( new TokenRequestContext ( ) . addScopes ( "https://management.azure.com/.default" ) ) ; } catch ( CredentialUnavailableException e ) { // No credential could authenticate System . out . println ( "Authentication failed: " + e . getMessage ( ) ) ; } catch ( ClientAuthenticationException e ) { // Authentication error (wrong credentials, expired, etc.) System . out . println ( "Auth error: " + e . getMessage ( ) ) ; } Logging Enable authentication logging for debugging. // Via environment variable // AZURE_LOG_LEVEL=verbose // Or programmatically DefaultAzureCredential credential = new DefaultAzureCredentialBuilder ( ) . enableAccountIdentifierLogging ( ) // Log account info . build ( ) ; Environment Variables

DefaultAzureCredential configuration

AZURE_TENANT_ID

< tenant-id

AZURE_CLIENT_ID

< client-id

AZURE_CLIENT_SECRET

< client-secret

Managed Identity

AZURE_CLIENT_ID

< user-assigned-mi-client-id

Workload Identity (AKS)

AZURE_FEDERATED_TOKEN_FILE

/var/run/secrets/azure/tokens/azure-identity-token

Logging

AZURE_LOG_LEVEL

verbose

Authority host

AZURE_AUTHORITY_HOST

https://login.microsoftonline.com/ Best Practices Use DefaultAzureCredential - Works seamlessly from dev to production Managed Identity in Production - No secrets to manage, automatic rotation Azure CLI for Local Dev - Run az login before running your app Least Privilege - Grant only required permissions to service principals Token Caching - Enabled by default, reduces auth round-trips Environment Variables - Use for CI/CD, not hardcoded secrets Credential Selection Matrix Environment Recommended Credential Local Development DefaultAzureCredential (uses Azure CLI) Azure App Service DefaultAzureCredential (uses Managed Identity) Azure Functions DefaultAzureCredential (uses Managed Identity) Azure Kubernetes Service WorkloadIdentityCredential Azure VMs DefaultAzureCredential (uses Managed Identity) CI/CD Pipeline EnvironmentCredential Desktop App InteractiveBrowserCredential CLI Tool DeviceCodeCredential Trigger Phrases "Azure authentication Java", "DefaultAzureCredential Java" "managed identity Java", "service principal Java" "Azure login Java", "Azure credentials Java" "AZURE_CLIENT_ID", "AZURE_TENANT_ID" When to Use This skill is applicable to execute the workflow or actions described in the overview.

返回排行榜