The plugin supports three distinct authentication types, including Azure CLI integration, service principal, and raw tokens.

Service Principal

Service principal must be provided via environment variables.

You can create a service principal with Azure CLI as follows:

# select correct subscription
az account set -s "my subscription name"

# create service principal
az ad sp create-for-rbac --name <name> --password <password>

This will yield something like:

  "appId": appid,
  "displayName": name,
  "name": name,
  "password": password,
  "tenant": guid

You will need to map it to environment variables for Custodian like this:


Azure CLI

Set environment variable AZURE_CLI_AUTH to any value, and session will pull credentials and the default subscription from Azure CLI. Requires that you have run az login in Azure CLI first.

Access Token

Passing access tokens directly is useful for integration or fake test authentication.

For fake test authentication environment variables should be configured as shown below:


You will also find this configuration in tox.ini.