Skip to content

Commit 7a84070

Browse files
localdenlocalden
committed
Update managed-identity.md
1 parent 49c4b0d commit 7a84070

File tree

1 file changed

+37
-1
lines changed

1 file changed

+37
-1
lines changed

msal-python-conceptual/advanced/managed-identity.md

Lines changed: 37 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ In both system- and user-assigned identities, developers need to use <xref:msal.
5454
System-assigned managed identities can be used by instantiating <xref:msal.managed_identity.SystemAssignedManagedIdentity> and passing to <xref:msal.managed_identity.ManagedIdentityClient>.
5555

5656
>[!NOTE]
57-
>You also need to pass a `http_client` reference, which can be set to `requests.Session()`, which keeps track of a pool of connections to the IMDS endpoint.
57+
>You need to include a `http_client` reference, which can be set to `requests.Session()`. This enables MSAL to maintain a pool of connections to the IMDS endpoint.
5858
5959
You can specify the target resource scope when calling [`acquire_token_for_client`](xref:msal.managed_identity.ManagedIdentityClient.acquire_token_for_client).
6060

@@ -72,3 +72,39 @@ if "access_token" in result:
7272
print("Token obtained!")
7373
```
7474

75+
>[!IMPORTANT]
76+
>You need to enable a system-assigned identity for the resource where the Python code runs; otherwise, no token will be returned.
77+
78+
### User-assigned managed identities
79+
80+
User-assigned managed identities can be used by instantiating <xref:msal.managed_identity.UserAssignedManagedIdentity> and passing to <xref:msal.managed_identity.ManagedIdentityClient>. You will need to specify the **one of the following**:
81+
82+
- Client ID (`client_id`)
83+
- Resource ID (`resource_id`)
84+
- Object ID (`object_id`)
85+
86+
>[!NOTE]
87+
>You need to include a `http_client` reference, which can be set to `requests.Session()`. This enables MSAL to maintain a pool of connections to the IMDS endpoint.
88+
89+
You can specify the target resource scope when calling [`acquire_token_for_client`](xref:msal.managed_identity.ManagedIdentityClient.acquire_token_for_client).
90+
91+
```python
92+
import msal
93+
import requests
94+
95+
managed_identity = msal.UserAssignedManagedIdentity(client_id='YOUR_CLIENT_ID')
96+
97+
global_app = msal.ManagedIdentityClient(managed_identity, http_client=requests.Session())
98+
99+
result = global_app.acquire_token_for_client(resource='https://vault.azure.net')
100+
101+
if "access_token" in result:
102+
print("Token obtained!")
103+
```
104+
105+
>[!IMPORTANT]
106+
>You need to attach a user-assigned identity for the resource where the Python code runs; otherwise, no token will be returned. If an incorrect identifier is used for the user-assigned managed identity, no token will be returned as well.
107+
108+
## Caching
109+
110+
By default, MSAL Python supports in-memory caching. MSAL does not support cache extensibility for managed identity because of security concerns when using distributed cache. Since a token acquired for managed identity belongs to an Azure resource, using a distributed cache might expose it to the other Azure resources sharing the cache.

0 commit comments

Comments
 (0)