Azure · enj · Apr 22, 2025 · Feb 23, 2024
@@ -1,2 +1,4 @@
 azure-keyvault-secrets==4.7.0
-msal==1.22.0
+# MSAL's acquire_token_for_client() comes with built-in cache since 1.23
+# And it is safe to upgrade to any new versions in 1.x series
+msal>=1.23,<2
@@ -8,17 +8,21 @@
 class MyClientAssertionCredential(object):
 
     def __init__(self, azure_client_id, azure_tenant_id, azure_authority_host, azure_federated_token_file):
-        # read the projected service account token file
-        f = open(azure_federated_token_file, 'rb')
+        self.azure_federated_token_file = azure_federated_token_file
         # create a confidential client application
         self.app = ConfidentialClientApplication(
             azure_client_id,
             client_credential={
-                'client_assertion': f.read().decode("utf-8")
+                'client_assertion': self.read_federation_token,  # A callable will be lazily called, whenever a new token is needed
             },
             authority="{}{}".format(azure_authority_host, azure_tenant_id)
         )
 
+    def read_federation_token(self):
+        # read the projected service account token file
+        with open(self.azure_federated_token_file, 'rb') as f:
+            return f.read().decode("utf-8")
+
     def get_token(self, *scopes, **kwargs):
         # get the token using the application
         token = self.app.acquire_token_for_client(list(scopes))