o ix) @sddlZddlZddlmZmZmZmZmZddlm Z m Z m Z m Z m Z ddlmZddlmZddlmZeeZdeed eeeefd eeeeffd d ZGd ddZdS)N)OptionalAnyMappingcastTuple) AccessTokenAccessTokenInfoTokenRequestOptionsTokenCredentialSupportsTokenInfo)CredentialUnavailableError)EnvironmentVariables) log_get_token client_ididentity_configreturncsr@hd}|r!tfdd|Drtdd|d|fSd}|D]}|vr=|r7tdd|||f}q%|S|rFd|fSdS)N>Z object_idrZ resource_idc3s|]}|vVqdSN).0keyrrc/home/app/Keep/.python/lib/python3.10/site-packages/azure/identity/_credentials/managed_identity.py sz+validate_identity_config..zrWhen 'client_id' is provided as a keyword argument, 'identity_config' must not contain any of the following keys: z, rzFidentity_config must not contain more than one of the following keys: )any ValueErrorjoin)rrZ valid_keysresultrrrrvalidate_identity_configs2 rc @seZdZdZddddeedeeeefdeddfdd Zdd d Z d eddfd dZ dddZ e ddddedeedeedede f ddZe dddedeedefddZdS)ManagedIdentityCredentialaKAuthenticates with an Azure managed identity in any hosting environment which supports managed identities. This credential defaults to using a system-assigned identity. To configure a user-assigned identity, use one of the keyword arguments. See `Microsoft Entra ID documentation `__ for more information about configuring managed identity for applications. :keyword str client_id: a user-assigned identity's client ID or, when using Pod Identity, the client ID of a Microsoft Entra app registration. This argument is supported in all hosting environments. :keyword identity_config: a mapping ``{parameter_name: value}`` specifying a user-assigned identity by its object or resource ID, for example ``{"object_id": "..."}``. Check the documentation for your hosting environment to learn what values it expects. :paramtype identity_config: Mapping[str, str] .. admonition:: Example: .. literalinclude:: ../samples/credential_creation_code_snippets.py :start-after: [START create_managed_identity_credential] :end-before: [END create_managed_identity_credential] :language: python :dedent: 4 :caption: Create a ManagedIdentityCredential. NrrrrkwargsrcKs8t||}d|_|dd}|dd|_d}tjtjrotjtj rTtjtj r@d}ddl m }|d||d||_nd}dd l m}|d||d||_ntjtjrnd }dd lm} | d||d||_ntjtjrtjtjrd }dd lm} | d||d||_ned}ddlm} | d||d||_nQtddtjDr|sddlm} |ptjtj} | stdd}d| f}| dtjtj| tjtjd||_nd}ddl m!}|d|||jd||_|r|j"j#d|}|r|d|dd|d7}t$%|dSdS)NZ%_exclude_workload_identity_credentialF_enable_imds_probezService Fabric managed identity)ServiceFabricCredentialr zApp Service managed identity)AppServiceCredentialzAzure Arc managed identity)AzureArcCredentialzAzure ML managed identity)AzureMLCredentialzCloud Shell managed identity)CloudShellCredentialcss|] }tj|VqdSr)osenvironget)rvarrrrrssz5ManagedIdentityCredential.__init__..)WorkloadIdentityCredentialzWorkload identity was selected but no client ID was provided. Configure the environment with a client ID or pass a value for "client_id" argumentzworkload identityr) tenant_idrZtoken_file_pathZIMDS)ImdsCredential)rrr"z will use z with rz: r)&r _credentialpopr"r)r*r+rZIDENTITY_ENDPOINTZIDENTITY_HEADERZIDENTITY_SERVER_THUMBPRINTZservice_fabricr$Z app_servicer%Z IMDS_ENDPOINTZ azure_arcr&Z MSI_ENDPOINTZ MSI_SECRETZazure_mlr'Z cloud_shellr(allZWORKLOAD_IDENTITY_VARSZworkload_identityr-ZAZURE_CLIENT_IDrZAZURE_TENANT_IDZAZURE_FEDERATED_TOKEN_FILEZimdsr/ __class____name___LOGGERinfo)selfrrr!Zuser_identity_infoZexclude_workload_identityZmanaged_identity_typer$r%r&r'r(r-Zworkload_client_idr/Zlog_msgrrr__init__Is              z"ManagedIdentityCredential.__init__cCs|jr|j|Sr)r0 __enter__r7rrrr9s z#ManagedIdentityCredential.__enter__argscGs|jr |jj|dSdSr)r0__exit__)r7r;rrrr<sz"ManagedIdentityCredential.__exit__cCs |dS)z)Close the credential's transport session.N)r<r:rrrcloses zManagedIdentityCredential.closeclaimsr.scopesr?r.cOs.|jstddtt|jj|||d|S)acRequest an access token for `scopes`. This method is called automatically by Azure SDK clients. :param str scopes: desired scope for the access token. This credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. :keyword str claims: additional claims required in the token, such as those returned in a resource provider's claims challenge following an authorization failure. :keyword str tenant_id: not used by this credential; any value provided will be ignored. :return: An access token with the desired scopes. :rtype: ~azure.core.credentials.AccessToken :raises ~azure.identity.CredentialUnavailableError: managed identity isn't available in the hosting environment No managed identity endpoint found. The Target Azure platform could not be determined from environment variables. Visit https://aka.ms/azsdk/python/identity/managedidentitycredential/troubleshoot to troubleshoot this issue.messager>)r0r rr get_token)r7r?r.r@r!rrrrDs z#ManagedIdentityCredential.get_token)optionsrEcGs(|jstddtt|jj|d|iS)aRequest an access token for `scopes`. This is an alternative to `get_token` to enable certain scenarios that require additional properties on the token. This method is called automatically by Azure SDK clients. :param str scopes: desired scope for the access token. This credential allows only one scope per request. For more information about scopes, see https://learn.microsoft.com/entra/identity-platform/scopes-oidc. :keyword options: A dictionary of options for the token request. Unknown options will be ignored. Optional. :paramtype options: ~azure.core.credentials.TokenRequestOptions :rtype: ~azure.core.credentials.AccessTokenInfo :return: An AccessTokenInfo instance containing information about the token. :raises ~azure.identity.CredentialUnavailableError: managed identity isn't available in the hosting environment. rArBrE)r0r rr get_token_info)r7rEr@rrrrFs z(ManagedIdentityCredential.get_token_info)rr)rN)r4 __module__ __qualname____doc__rstrrrr8r9r<r=rrrDr rrFrrrrr0s< P  &r)loggingr)typingrrrrrZazure.core.credentialsrrr r r r _constantsrZ_internal.decoratorsr getLoggerr4r5rJrrrrrrs