Create a Microsoft Entra ID token provider using AzureAuth
Source:R/token-azure-identity.R
foundry_token_azure_identity.RdCreate a provider function for foundry_set_token_provider() that acquires
Microsoft Entra ID access tokens through the AzureAuth package. This
supports service principals (client secret or certificate), managed identity,
and interactive or device-code flows, and refreshes tokens automatically as
they approach expiry.
Usage
foundry_token_azure_identity(
resource = "https://ai.azure.com",
tenant = Sys.getenv("AZURE_TENANT_ID"),
app = Sys.getenv("AZURE_CLIENT_ID"),
password = NULL,
username = NULL,
certificate = NULL,
auth_type = NULL,
managed_identity = FALSE,
version = 1,
...
)Arguments
- resource
Character. The token audience. Defaults to
"https://ai.azure.com", the canonical Azure AI Foundry data-plane audience. Pass"https://cognitiveservices.azure.com"for legacy Cognitive Services resources.- tenant
Character. Microsoft Entra ID tenant. Defaults to the
AZURE_TENANT_IDenvironment variable. Ignored whenmanaged_identity = TRUE.- app
Character. Application (client) ID. Defaults to the
AZURE_CLIENT_IDenvironment variable. Ignored whenmanaged_identity = TRUE.- password
Character or
NULL. Client secret for a service principal, or the resource-owner password.NULLselects an interactive or device-code flow.- username
Character or
NULL. Username for the resource-owner flow.- certificate
Character or
NULL. Path to, or contents of, a certificate for certificate-based service-principal authentication.- auth_type
Character or
NULL. Explicit AzureAuth authentication type.NULLlets AzureAuth choose based on the other arguments.- managed_identity
Logical. If
TRUE, acquire a token from an Azure managed identity viaAzureAuth::get_managed_token()and ignoretenantandapp. DefaultFALSE.- version
Integer. Microsoft Entra ID endpoint version,
1or2. Default1, matching the resource-styleresourceabove.- ...
Additional arguments passed to
AzureAuth::get_azure_token()orAzureAuth::get_managed_token().
Value
A zero-argument token provider function suitable for
foundry_set_token_provider().
Details
The token is acquired lazily on first use, so building the provider never triggers a network call. Tokens are re-acquired within five minutes of expiry; AzureAuth reuses its on-disk cache and refresh tokens under the hood, so re-acquisition is inexpensive and does not re-prompt for interactive flows.
See also
foundry_token_azure_cli() for a provider that shells out to the
Azure CLI instead.
Examples
if (FALSE) { # \dontrun{
# Service principal with a client secret
foundry_set_token_provider(
foundry_token_azure_identity(
tenant = "your-tenant-id",
app = "your-client-id",
password = Sys.getenv("AZURE_CLIENT_SECRET")
)
)
# Managed identity inside Azure
foundry_set_token_provider(
foundry_token_azure_identity(managed_identity = TRUE)
)
} # }