Authentication

The plugin supports three distinct authentication types, including Azure CLI integration, service principal, and raw tokens.

Service Principal

Service principal must be provided via environment variables.

You can create a service principal with Azure CLI as follows:

# select correct subscription
az account set -s "my subscription name"

# create service principal
az ad sp create-for-rbac --name <name> --password <password>

This will yield something like:

{
  "appId": appid,
  "displayName": name,
  "name": name,
  "password": password,
  "tenant": guid
}

You will need to map it to environment variables for Custodian like this:

AZURE_TENANT_ID=tenant
AZURE_SUBSCRIPTION_ID=subscriptionId
AZURE_CLIENT_ID=appId
AZURE_CLIENT_SECRET=password

Azure CLI

Set environment variable AZURE_CLI_AUTH to any value, and session will pull credentials and the default subscription from Azure CLI. Requires that you have run az login in Azure CLI first.

Access Token

Passing access tokens directly is useful for integration or fake test authentication.

For fake test authentication environment variables should be configured as shown below:

AZURE_ACCESS_TOKEN=fake_token
AZURE_SUBSCRIPTION_ID=ea42f556-5106-4743-99b0-c129bfa71a47

You will also find this configuration in tox.ini.