Description

Azure Identity SDK for Python authentication. Use for DefaultAzureCredential, managed identity, service principals, and token caching. Triggers: "azure-identity", "DefaultAzureCredential", "authentication", "managed identity", "service principal", "credential".

README (SKILL.md)

Azure Identity SDK for Python

Name: Azure Identity Py
Author: thegovind

Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).

Installation

pip install azure-identity

Environment Variables

# Service Principal (for production/CI)
AZURE_TENANT_ID=\x3Cyour-tenant-id>
AZURE_CLIENT_ID=\x3Cyour-client-id>
AZURE_CLIENT_SECRET=\x3Cyour-client-secret>

# User-assigned Managed Identity (optional)
AZURE_CLIENT_ID=\x3Cmanaged-identity-client-id>

DefaultAzureCredential

The recommended credential for most scenarios. Tries multiple authentication methods in order:

from azure.identity import DefaultAzureCredential
from azure.storage.blob import BlobServiceClient

# Works in local dev AND production without code changes
credential = DefaultAzureCredential()

client = BlobServiceClient(
    account_url="https://\x3Caccount>.blob.core.windows.net",
    credential=credential
)

Credential Chain Order

Order	Credential	Environment
1	EnvironmentCredential	CI/CD, containers
2	WorkloadIdentityCredential	Kubernetes
3	ManagedIdentityCredential	Azure VMs, App Service, Functions
4	SharedTokenCacheCredential	Windows only
5	VisualStudioCodeCredential	VS Code with Azure extension
6	AzureCliCredential	`az login`
7	AzurePowerShellCredential	`Connect-AzAccount`
8	AzureDeveloperCliCredential	`azd auth login`

Customizing DefaultAzureCredential

# Exclude credentials you don't need
credential = DefaultAzureCredential(
    exclude_environment_credential=True,
    exclude_shared_token_cache_credential=True,
    managed_identity_client_id="\x3Cuser-assigned-mi-client-id>"  # For user-assigned MI
)

# Enable interactive browser (disabled by default)
credential = DefaultAzureCredential(
    exclude_interactive_browser_credential=False
)

Specific Credential Types

ManagedIdentityCredential

For Azure-hosted resources (VMs, App Service, Functions, AKS):

from azure.identity import ManagedIdentityCredential

# System-assigned managed identity
credential = ManagedIdentityCredential()

# User-assigned managed identity
credential = ManagedIdentityCredential(
    client_id="\x3Cuser-assigned-mi-client-id>"
)

ClientSecretCredential

For service principal with secret:

from azure.identity import ClientSecretCredential

credential = ClientSecretCredential(
    tenant_id=os.environ["AZURE_TENANT_ID"],
    client_id=os.environ["AZURE_CLIENT_ID"],
    client_secret=os.environ["AZURE_CLIENT_SECRET"]
)

AzureCliCredential

Uses the account from az login:

from azure.identity import AzureCliCredential

credential = AzureCliCredential()

ChainedTokenCredential

Custom credential chain:

from azure.identity import (
    ChainedTokenCredential,
    ManagedIdentityCredential,
    AzureCliCredential
)

# Try managed identity first, fall back to CLI
credential = ChainedTokenCredential(
    ManagedIdentityCredential(client_id="\x3Cuser-assigned-mi-client-id>"),
    AzureCliCredential()
)

Credential Types Table

Credential	Use Case	Auth Method
`DefaultAzureCredential`	Most scenarios	Auto-detect
`ManagedIdentityCredential`	Azure-hosted apps	Managed Identity
`ClientSecretCredential`	Service principal	Client secret
`ClientCertificateCredential`	Service principal	Certificate
`AzureCliCredential`	Local development	Azure CLI
`AzureDeveloperCliCredential`	Local development	Azure Developer CLI
`InteractiveBrowserCredential`	User sign-in	Browser OAuth
`DeviceCodeCredential`	Headless/SSH	Device code flow

Getting Tokens Directly

from azure.identity import DefaultAzureCredential

credential = DefaultAzureCredential()

# Get token for a specific scope
token = credential.get_token("https://management.azure.com/.default")
print(f"Token expires: {token.expires_on}")

# For Azure Database for PostgreSQL
token = credential.get_token("https://ossrdbms-aad.database.windows.net/.default")

Async Client

from azure.identity.aio import DefaultAzureCredential
from azure.storage.blob.aio import BlobServiceClient

async def main():
    credential = DefaultAzureCredential()
    
    async with BlobServiceClient(
        account_url="https://\x3Caccount>.blob.core.windows.net",
        credential=credential
    ) as client:
        # ... async operations
        pass
    
    await credential.close()

Best Practices

Use DefaultAzureCredential for code that runs locally and in Azure
Never hardcode credentials — use environment variables or managed identity
Prefer managed identity in production Azure deployments
Use ChainedTokenCredential when you need a custom credential order
Close async credentials explicitly or use context managers
Set AZURE_CLIENT_ID for user-assigned managed identities
Exclude unused credentials to speed up authentication

Usage Guidance

This SKILL.md appears to be a straightforward guide for the official azure-identity Python SDK, but the skill metadata does not declare the sensitive environment variables the document uses. Before installing or enabling this skill: 1) Confirm the skill's source/author (no homepage or repository is provided). 2) Only provide AZURE_* credentials when you trust the skill and the runtime environment — avoid pasting secrets into chat. 3) Prefer managed identities in production (avoid long-lived client secrets). 4) Ask the skill author to declare required env vars in metadata so you can make an informed decision. 5) If an agent will run this skill autonomously, be extra cautious because obtained tokens could grant access to Azure resources; restrict the agent's Azure permissions (least privilege) and monitor token use.

Capability Analysis

Type: OpenClaw Skill Name: azure-identity-py Version: 0.1.0 The skill bundle provides documentation and code examples for the `azure-identity` Python SDK. It instructs the agent to install the legitimate `azure-identity` package via `pip install`. The content describes standard practices for Azure authentication, including reading credentials from environment variables, which is appropriate for an identity library. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, prompt injection attempts against the agent, or obfuscation. All actions are clearly aligned with the stated purpose of facilitating Azure authentication.

Capability Assessment

ℹ Purpose & Capability

The skill's name, description, and instructions match: it's a usage guide for the Azure Identity SDK for Python. The examples and credential types shown are appropriate for that purpose. However, the metadata declares no required environment variables even though the README shows service-principal and managed-identity environment variables (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET).

✓ Instruction Scope

SKILL.md only shows usage examples for DefaultAzureCredential and other Azure credentials and how to call get_token; it does not instruct the agent to read unrelated system files, post tokens to external endpoints, or perform actions outside of authentication usage. Examples reference environment variables (and os.environ) which is expected for this library.

✓ Install Mechanism

This is an instruction-only skill with no install spec or code files. The document tells users to run `pip install azure-identity`, which is normal; nothing in the skill instructs downloading arbitrary or untrusted code.

⚠ Credentials

The SKILL.md shows and uses sensitive environment variables (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and user-assigned managed identity client IDs) but the skill metadata lists no required env vars or primary credential. That mismatch could lead an unsuspecting user or agent to provide secrets without realizing the skill expects them. The credential usage itself is appropriate for the described purpose, but the metadata omission reduces transparency about sensitive data needs.

✓ Persistence & Privilege

The skill does not request persistent presence (always:false) and contains no instructions to modify other skills or system-wide configurations. Autonomous invocation is allowed by default on the platform but is not combined here with other elevated privileges.

Version History

v0.1.0

Initial release of azure-identity-py skill. - Provides usage guidance for Azure Identity SDK authentication in Python. - Documents DefaultAzureCredential, managed identity, service principals, and token caching. - Includes credential chain order, environment variable setup, and async usage examples. - Covers best practices and credential selection for local and cloud scenarios.

Metadata

Slug azure-identity-py

Version 0.1.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Azure Identity Py?

Azure Identity SDK for Python authentication. Use for DefaultAzureCredential, managed identity, service principals, and token caching. Triggers: "azure-identity", "DefaultAzureCredential", "authentication", "managed identity", "service principal", "credential". It is an AI Agent Skill for Claude Code / OpenClaw, with 1936 downloads so far.

How do I install Azure Identity Py?

Run "/install azure-identity-py" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Azure Identity Py free?

Yes, Azure Identity Py is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Azure Identity Py support?

Azure Identity Py is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Azure Identity Py?

It is built and maintained by thegovind (@thegovind); the current version is v0.1.0.

More Skills

Azure Identity Py