Use Azure Identity credentials to authenticate in Python

Related products: API and SDKs

Is there any way to use the Azure Identity library to authenticate with the CDF python SDK? E.g. DefaultAzureCredential. That would enable users logged in with Azure CLI to re-use the login when authenticating to CDF, as well as applications using OIDC managed identities with no application secrets (e.g. AKS workload identities or GitHub Actions) to seamlessly login using the same code.

Something like this would be great:

from azure.identity import DefaultAzureCredential
from cognite.client import CogniteClient, ClientConfig

credential = DefaultAzureCredential()

client_config = ClientConfig(
    credentials=credential,  # Does not work today
    project=COGNITE_PROJECT,
    base_url=f"https://{CDF_CLUSTER}.cognitedata.com",
    client_name=CLIENT_NAME,
)

cdf_client = CogniteClient(client_config)

Page 1 / 1

Unfortunately, we do not have that today, but will log it as a feature request.

Just to specify this even more, I guess the method above could be?

CogniteClient.default_azure_credentials(project, cluster)

with the client name as optional as in the other factory methods we have (set to your user name by default)

Great!

I would prefer to control the credential creation myself. There are a lot of options and variants that will vary from setup to setup. Sometimes you would want to hard-code AzureCliCredential or EnvironmentCredential, or exclude some methods from AzureDefaultCredential.

CogniteClient.azure_credentials(credential, project, cluster)

The above method would mimic the way Microsofts own SDKs work.

Example (KeyVault):

https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-python?tabs=azure-cli

New→Gathering Interest

We are looking into the option of using ManagedIdentity from Azure Functions to connect to CDF and PowerOps. The idea outlined by Sindre should also work for our usecase, so we also like to encourage finding a solution to this!

@Sindre Tøsse If you have a good solution for this, can you create a PR for the SDK? I will can take over if you set up the first pass on it.

I’m not sure if Sindre has the time to implement a solution for this, but another colleague of mine had an idea of a possible workaround that could have worked using token provider:

def _create_client_from_token_provider(
    client_name: str,
    env: Env,
    token_provider: Callable
):
    cdf_client = CogniteClient(
        ClientConfig(
            credentials=Token(token_provider),
            project=COGNITE_PROJECTS[env],
            base_url=f"https://{CDF_CLUSTER}.cognitedata.com",
            client_name=client_name,
        )
    )
    return cdf_client


def create_client_from_azurecredentials(
    env: Env,
    client_name: str,
    credential: DefaultAzureCredential = None
):
    if credential is None:
        credential = DefaultAzureCredential()

    def token_provider():
        return credential.get_token(' '.join(SCOPES)).token

    return _create_client_from_token_provider(client_name, env, token_provider)

However, this fails due to some missing admin consent or similar, but works when the user log in manually.

We are setting up at lot of ManagedIdentities as we are migrating to new infrastructure with container apps. A solution to this issue would therefore be greatly appreciated.

Sign up

Log in to the community

Scanning file for viruses.

This file cannot be downloaded