 Table
Table
Authentication
All tasks must be authenticated for the Azure Platform. Multiple authentication methods are supported:
1. Service Principal with Client Secret
You can set the following task properties:
- tenantId: Directory (tenant) ID of the Azure Active Directory instance.
- clientId: Application (client) ID of your service principal.
- clientSecret: Secret associated with your service principal.
This is a common method for server-to-server authentication and recommended for automation scenarios. This is best used with secrets to avoid exposing credentials in plain text.
2. Service Principal with Certificate
Alternatively, you can use a PEM certificate for authentication by specifying:
- tenantId
- clientId
- pemCertificate: PEM-formatted certificate content.
This method is preferred over client secrets when enhanced security and certificate lifecycle management are required.
3. Default Azure Credentials
If no client secret or certificate is defined, the DefaultAzureCredential chain will be used. This includes:
- Environment variables (AZURE_TENANT_ID,AZURE_CLIENT_ID,AZURE_CLIENT_SECRET, etc.).
- Managed identity for Azure resources (if the task is running on an Azure VM, App Service, etc.).
- Azure CLI logged-in user.
- Visual Studio Code or Azure Developer CLI credentials.
⚠️ In all cases, specifying
tenantIdis required.
4. SAS Token or Shared Key Authentication
Some Azure services support alternate authentication modes:
- Shared Key: use sharedKeyAccountNameandsharedKeyAccountAccessKeyfor services like Azure Storage.
- SAS Token: use sasTokenfor temporary delegated access to resources.
These can also be stored as secrets.
Common Properties
- endpoint: Most tasks require an- endpointproperty pointing to the Azure service endpoint (e.g., Blob storage URL).
- scopes: Some tasks allow you to define custom scopes (defaults to- https://management.azure.com/.default).
Example
id: azure_get_token
namespace: company.team
tasks: 
  - id: get_access_token
    type: io.kestra.plugin.azure.oauth.OauthAccessToken
    tenantId: "{{ secret('AZURE_TENANT_ID') }}"
    clientId: "{{ secret('AZURE_CLIENT_ID') }}"
    clientSecret: "{{ secret('AZURE_CLIENT_SECRET') }}"
For more information on Azure authentication, see Azure Identity documentation.
