WorkloadIdentityCredential Class  
Authenticates using Microsoft Entra Workload ID.
Workload identity authentication is a feature in Azure that allows applications running on virtual machines (VMs) to access other Azure resources without the need for a service principal or managed identity. With workload identity authentication, applications authenticate themselves using their own identity, rather than using a shared service principal or managed identity. Under the hood, workload identity authentication uses the concept of Service Account Credentials (SACs), which are automatically created by Azure and stored securely in the VM. By using workload identity authentication, you can avoid the need to manage and rotate service principals or managed identities for each application on each VM. Additionally, because SACs are created automatically and managed by Azure, you don't need to worry about storing and securing sensitive credentials themselves.
The WorkloadIdentityCredential supports Azure workload identity authentication on Azure Kubernetes and acquires a token using the service account credentials available in the Azure Kubernetes environment. Refer to this workload identity overview for more information.
Constructor
WorkloadIdentityCredential(*, tenant_id: str | None = None, client_id: str | None = None, token_file_path: str | None = None, **kwargs: Any)Keyword-Only Parameters
| Name | Description | 
|---|---|
| tenant_id | ID of the application's Microsoft Entra tenant. Also called its "directory" ID. Default value: None | 
| client_id | The client ID of a Microsoft Entra app registration. Default value: None | 
| token_file_path | The path to a file containing a Kubernetes service account token that authenticates the identity. Default value: None | 
Examples
Create a WorkloadIdentityCredential.
   from azure.identity import WorkloadIdentityCredential
   credential = WorkloadIdentityCredential(
       tenant_id="<tenant_id>",
       client_id="<client_id>",
       token_file_path="<token_file_path>",
   )
   # Parameters can be omitted if the following environment variables are set:
   #   - AZURE_TENANT_ID
   #   - AZURE_CLIENT_ID
   #   - AZURE_FEDERATED_TOKEN_FILE
   credential = WorkloadIdentityCredential()
Methods
| close | Close the credential's underlying HTTP client and release resources. | 
| get_token | Request an access token for scopes. This method is called automatically by Azure SDK clients. | 
| get_token_info | Request an access token for scopes. This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. | 
close
Close the credential's underlying HTTP client and release resources.
close() -> Noneget_token
Request an access token for scopes.
This method is called automatically by Azure SDK clients.
get_token(*scopes: str, claims: str | None = None, tenant_id: str | None = None, enable_cae: bool = False, **kwargs: Any) -> AccessTokenParameters
| Name | Description | 
|---|---|
| scopes 
				Required
			 | desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://free.blessedness.top/entra/identity-platform/scopes-oidc. | 
Keyword-Only Parameters
| Name | Description | 
|---|---|
| claims | additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure. Default value: None | 
| tenant_id | optional tenant to include in the token request. Default value: None | 
| enable_cae | indicates whether to enable Continuous Access Evaluation (CAE) for the requested token. Defaults to False. Default value: False | 
Returns
| Type | Description | 
|---|---|
| An access token with the desired scopes. | 
Exceptions
| Type | Description | 
|---|---|
| the credential is unable to attempt authentication because it lacks required data, state, or platform support | |
| authentication failed. The error's  | 
get_token_info
Request an access token for scopes.
This is an alternative to get_token to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients.
get_token_info(*scopes: str, options: TokenRequestOptions | None = None) -> AccessTokenInfoParameters
| Name | Description | 
|---|---|
| scopes 
				Required
			 | desired scopes for the access token. This method requires at least one scope. For more information about scopes, see https://free.blessedness.top/entra/identity-platform/scopes-oidc. | 
Keyword-Only Parameters
| Name | Description | 
|---|---|
| options | A dictionary of options for the token request. Unknown options will be ignored. Optional. Default value: None | 
Returns
| Type | Description | 
|---|---|
| An AccessTokenInfo instance containing information about the token. | 
Exceptions
| Type | Description | 
|---|---|
| the credential is unable to attempt authentication because it lacks required data, state, or platform support | |
| authentication failed. The error's  |