| Title: | Credential Chain for Seamless 'OAuth 2.0' Authentication to 'Azure Services' |
|---|---|
| Description: | Implements a credential chain for 'Azure OAuth 2.0' authentication based on the package 'httr2''s 'OAuth' framework. Sequentially attempts authentication methods until one succeeds. During development allows interactive browser-based flows ('Device Code' and 'Auth Code' flows) and non-interactive flow ('Client Secret') in batch mode. |
| Authors: | Pedro Baltazar [aut, cre] |
| Maintainer: | Pedro Baltazar <[email protected]> |
| License: | MIT + file LICENSE |
| Version: | 0.3.5 |
| Built: | 2026-06-29 10:45:51 UTC |
| Source: | https://github.com/pedrobtz/azr |
An R6 class that provides a base HTTP client for interacting with Azure APIs. This client handles authentication, request building, retry logic, logging, and error handling for Azure API requests.
The api_client class is designed to be a base class for Azure service-specific
clients. It provides:
Automatic authentication using Azure credentials
Configurable retry logic with exponential backoff
Request and response logging
JSON, XML, and HTML content type handling
Standardized error handling
.host_urlBase URL for the API
.base_reqBase httr2 request object
.providerCredential provider R6 object
.credentialsCredentials function for authentication
.optionsRequest options (timeout, connecttimeout, max_tries)
.response_handlerOptional callback function to process response content
.verboseLogical flag controlling request/response logging in .send_request()
new()
Create a new API client instance
api_client$new(
host_url,
provider = NULL,
credentials = NULL,
timeout = 60L,
connecttimeout = 30L,
max_tries = 5L,
response_handler = NULL,
verbose = opts$get("api_verbose")
)host_urlA character string specifying the base URL for the API
(e.g., "https://management.azure.com").
providerAn R6 credential provider object that inherits from the
Credential or DefaultCredential class. If provided, the credential's
req_auth method will be used for authentication. Takes precedence over
credentials.
credentialsA function that adds authentication to requests. If
both provider and credentials are NULL, uses default_non_auth().
The function should accept an httr2 request object and return a modified
request with authentication.
timeoutAn integer specifying the request timeout in seconds.
Defaults to 60.
connecttimeoutAn integer specifying the connection timeout in
seconds. Defaults to 30.
max_triesAn integer specifying the maximum number of retry
attempts for failed requests. Defaults to 5.
response_handlerAn optional function to process the parsed response
content. The function should accept one argument (the parsed response) and
return the processed content. If NULL, uses default_response_handler()
which converts data frames to data.table objects. Defaults to NULL.
verboseA logical flag controlling request/response logging in
.send_request(). When FALSE, the >>> request and <<< response
cli alerts are suppressed. Defaults to the api_verbose option, which
reads options(azr.api_verbose = ...) or the AZR_API_VERBOSE
environment variable; see azr_options().
A new api_client object
.fetch()
Make an HTTP request to the API
api_client$.fetch(
path,
...,
query = NULL,
body = NULL,
headers = NULL,
method = "get",
verbosity = 0L,
content = c("body", "headers", "response", "request"),
content_type = NULL
)pathA character string specifying the API endpoint path. Supports
rlang::englue() syntax for variable interpolation using named arguments
passed via ....
...Named arguments used for path interpolation with rlang::englue().
queryA named list of query parameters to append to the URL.
bodyRequest body data. Sent as JSON in the request body. Can be a list or character string (JSON).
headersA named list of additional HTTP headers to include in the request.
methodA character string specifying the HTTP method. One of
"get", "post", "put", "patch", or "delete". Defaults to "get".
verbosityAn integer specifying the verbosity level for request
debugging (passed to httr2::req_perform()). Defaults to 0.
contentA character string specifying what to return. One of:
"body" (default): Return the parsed response body
"headers": Return response headers
"response": Return the full httr2 response object
"request": Return the prepared request object without executing it
content_typeA character string specifying how to parse the response
body. If NULL, uses the response's Content-Type header. Common values:
"application/json", "application/xml", "text/html".
Depends on the content parameter:
"body": Parsed response body (list, data.frame, or character)
"headers": List of response headers
"response": Full httr2::response() object
"request": httr2::request() object
.resp_content()
Extract content from a response object
api_client$.resp_content(resp, content, content_type = NULL)
respAn httr2::response() object
contentA character string specifying what to return. One of:
"body": Return the parsed response body
"headers": Return response headers
"response": Return the full httr2 response object
content_typeA character string specifying how to parse the response
body. Only used when content = "body". If NULL, uses the response's
Content-Type header.
Depends on the content parameter:
"body": Parsed response body (list, data.frame, or character)
"headers": List of response headers
"response": Full httr2::response() object
.build_request()
Build an HTTP request object
api_client$.build_request( path, ..., query = NULL, body = NULL, headers = NULL, method = "get" )
pathA character string specifying the API endpoint path. Supports
rlang::englue() syntax for variable interpolation using named arguments
passed via ....
...Named arguments used for path interpolation with rlang::englue().
queryA named list of query parameters to append to the URL.
bodyRequest body data. Sent as JSON in the request body. Can be a list or character string (JSON).
headersA named list of additional HTTP headers to include in the request.
methodA character string specifying the HTTP method. One of
"get", "post", "put", "patch", or "delete". Defaults to "get".
An httr2::request() object ready for execution
.send_request()
Perform an HTTP request and log the results
api_client$.send_request(req, verbosity)
reqAn httr2::request() object to execute
verbosityAn integer specifying the verbosity level for request
debugging (passed to httr2::req_perform()). Defaults to 0.
An httr2::response() object containing the API response
.resp_body_content()
Extract and parse response content
api_client$.resp_body_content(resp, content_type = NULL)
respAn httr2::response() object
content_typeA character string specifying how to parse the response
body. If NULL, uses the response's Content-Type header. Common values:
"application/json", "application/xml", "text/html".
Parsed response body. Format depends on content type:
JSON: List or data.frame
XML: xml2 document
HTML: xml2 document
Other: Character string
.get_token()
Get authentication token from the credential provider
api_client$.get_token()
An httr2::oauth_token() object if a provider is available,
otherwise returns NULL with a warning.
clone()
The objects of this class are cloneable with this method.
api_client$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # Create a client with default credentials client <- api_client$new( host_url = "https://management.azure.com" ) # Create a client with a credential provider cred_provider <- get_credential_provider( scope = "https://management.azure.com/.default" ) client <- api_client$new( host_url = "https://management.azure.com", provider = cred_provider ) # Create a client with custom credentials function client <- api_client$new( host_url = "https://management.azure.com", credentials = my_credential_function, timeout = 120, max_tries = 3 ) # Create a client with custom response handler custom_handler <- function(content) { # Custom processing logic - e.g., keep data frames as-is content } client <- api_client$new( host_url = "https://management.azure.com", response_handler = custom_handler ) # Make a GET request response <- client$.fetch( path = "/subscriptions/{subscription_id}/resourceGroups", subscription_id = "my-subscription-id", query = list(`api-version` = "2021-04-01"), method = "get" ) ## End(Not run)## Not run: # Create a client with default credentials client <- api_client$new( host_url = "https://management.azure.com" ) # Create a client with a credential provider cred_provider <- get_credential_provider( scope = "https://management.azure.com/.default" ) client <- api_client$new( host_url = "https://management.azure.com", provider = cred_provider ) # Create a client with custom credentials function client <- api_client$new( host_url = "https://management.azure.com", credentials = my_credential_function, timeout = 120, max_tries = 3 ) # Create a client with custom response handler custom_handler <- function(content) { # Custom processing logic - e.g., keep data frames as-is content } client <- api_client$new( host_url = "https://management.azure.com", response_handler = custom_handler ) # Make a GET request response <- client$.fetch( path = "/subscriptions/{subscription_id}/resourceGroups", subscription_id = "my-subscription-id", query = list(`api-version` = "2021-04-01"), method = "get" ) ## End(Not run)
An R6 class that extends api_client to provide a Kusto Query Language
(KQL) query() method against the public Azure Log Analytics REST API,
bound to a specific Azure subscription and resource group at construction.
The client is bound to subscription_id and resource_id (the resource
group name) at construction. The $query() method issues a POST to
https://{endpoint}/{api_version}/subscriptions/{subscription_id}/resourceGroups/{resource_id}/query
with a JSON body ({"query": ..., "timespan": ..., "workspaces": [...]}).
Pass scope = "hierarchy" (or any other supported query-string parameter)
via ... on $query() to traverse the resource hierarchy.
azr::api_client -> api_log_analytics_client
.subscription_idThe Azure subscription ID the client is bound to.
.resource_idThe Azure resource group name the client is bound to.
.api_versionThe API version segment prepended to all query paths.
new()
Create a new Azure Log Analytics API client instance bound to a specific subscription and resource group.
api_log_analytics_client$new(
subscription_id,
resource_id,
endpoint = default_log_analytics_endpoint(),
api_version = "v1",
scope = default_azure_scope("azure_log_analytics"),
provider = NULL,
chain = NULL,
tenant_id = NULL,
...
)subscription_idA character string specifying the Azure subscription ID (GUID) to bind the client to.
resource_idA character string specifying the Azure resource group name to bind the client to.
endpointA character string specifying the Log Analytics query
endpoint host (e.g. "api.loganalytics.io"). Defaults to
default_log_analytics_endpoint(). Any leading https?:// scheme or
trailing slashes are stripped.
api_versionA character string specifying the API version segment
prepended to the query path. Defaults to "v1".
scopeA character string specifying the OAuth2 scope. Defaults to
default_azure_scope("azure_log_analytics").
providerAn optional credential provider object that inherits from
Credential or DefaultCredential. If provided, chain is ignored.
chainA credential_chain instance for authentication. If NULL,
a default credential chain is created using DefaultCredential.
tenant_idA character string specifying the Azure tenant ID. Passed
to DefaultCredential when chain is NULL.
...Additional arguments passed to the parent api_client constructor.
A new api_log_analytics_client object
query()
Issue a KQL query against the bound subscription and resource group.
api_log_analytics_client$query( query, date_from = Sys.Date() - 3, date_to = Sys.Date() + 1, timespan = NULL, max_rows = 500001L, options = list(truncationMaxSize = 67108864L), workspace_filters = list(regions = list()), ..., raw = FALSE, coerce_types = TRUE )
queryA character string containing the KQL query to execute.
date_fromStart of the time range as a Date or POSIXct. When
provided together with date_to, appends
| where TimeGenerated between(datetime(...), datetime(...)) to the
query and sets timespan to NULL. Defaults to Sys.Date() - 3.
date_toEnd of the time range as a Date or POSIXct. Defaults
to Sys.Date() + 1.
timespanAn ISO 8601 duration (e.g. "PT12H") or start/end pair
separated by / (e.g. "2024-01-01/2024-01-02"). Passed as a URL
query parameter. Ignored when date_from and date_to are set.
Defaults to NULL.
max_rowsMaximum number of rows to return. Defaults to 500001.
optionsA named list of query options. Defaults to
list(truncationMaxSize = 67108864).
workspace_filtersA named list of workspace filters. Defaults to
list(regions = list()).
...Additional URL query parameters. Override defaults (e.g.
scope = "resource" to change from the default "hierarchy").
rawIf TRUE, returns the parsed JSON response as a list. If
FALSE (the default), returns a named list of data.frames — one per
table in the response — or the single table directly if only one is
returned.
coerce_typesIf TRUE (the default), columns are coerced to their
native R types based on the Log Analytics schema (e.g. datetime →
POSIXct, bool → logical). Set to FALSE to keep all values as
character.
Either a single data.frame, a named list of data.frames, or
the raw parsed response (when raw = TRUE).
clone()
The objects of this class are cloneable with this method.
api_log_analytics_client$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: la <- api_log_analytics_client$new( subscription_id = "00000000-0000-0000-0000-000000000000", resource_id = "my-resource-group" ) la$query( query = "AzureDiagnostics | take 10", timespan = "PT12H", scope = "hierarchy" ) ## End(Not run)## Not run: la <- api_log_analytics_client$new( subscription_id = "00000000-0000-0000-0000-000000000000", resource_id = "my-resource-group" ) la$query( query = "AzureDiagnostics | take 10", timespan = "PT12H", scope = "hierarchy" ) ## End(Not run)
An R6 class that wraps an api_client and adds an additional path segment
(like "beta" or "v1.0") to all requests. This is useful for APIs that version
their endpoints or have different API surfaces under different paths.
The api_resource class creates a modified base request by appending an
endpoint path to the client's base request. All subsequent API calls through
this resource will automatically include this path prefix.
.clientThe cloned api_client instance with modified base_req
new()
Create a new API resource instance
api_resource$new(client, endpoint)
clientAn api_client object that provides the base HTTP client
functionality. This will be cloned to avoid modifying the original.
endpointA character string specifying the API endpoint or path
segment to append (e.g., "v1.0", "beta").
A new api_resource object
clone()
The objects of this class are cloneable with this method.
api_resource$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # Create a client client <- api_client$new( host_url = "https://graph.microsoft.com" ) # Create a resource with v1.0 API endpoint resource_v1 <- api_resource$new( client = client, endpoint = "v1.0" ) # Create a resource with beta API endpoint resource_beta <- api_resource$new( client = client, endpoint = "beta" ) # Make requests - the endpoint is automatically prepended response <- resource_v1$.fetch( path = "/me", method = "get" ) ## End(Not run)## Not run: # Create a client client <- api_client$new( host_url = "https://graph.microsoft.com" ) # Create a resource with v1.0 API endpoint resource_v1 <- api_resource$new( client = client, endpoint = "v1.0" ) # Create a resource with beta API endpoint resource_beta <- api_resource$new( client = client, endpoint = "beta" ) # Make requests - the endpoint is automatically prepended response <- resource_v1$.fetch( path = "/me", method = "get" ) ## End(Not run)
Base R6 class for creating API service wrappers. This class provides a foundation for building service-specific API clients with authentication, endpoint management, and configuration.
.clientAn api_client instance for making API requests
new()
Create a new API service instance
api_service$new( client = NULL, chain = NULL, endpoints = list(), config = list() )
clientAn api_client instance. If NULL, a new client will be created.
chainA credential_chain instance for authentication. Optional.
endpointsA named list where names are endpoint paths (e.g., "v1.0", "beta")
and values are R6 class objects (not instances) to use for creating resources.
Defaults to an empty list. If the value is NULL, api_resource will be used.
configA list of configuration options. Defaults to an empty list.
A new api_service object
An R6 class that extends api_client to provide specialized methods for Azure Data Lake Storage Gen2 (ADLS Gen2) REST API operations.
The base URL is constructed as:
https://{storageaccount}.{endpoint_suffix}
azr::api_client -> api_storage_client
.filesystemThe filesystem (container) name
new()
Create a new Azure Storage API client instance
api_storage_client$new(
storageaccount,
filesystem,
scope = default_azure_scope("azure_storage"),
endpoint_suffix = default_storage_endpoint(),
provider = NULL,
chain = NULL,
tenant_id = NULL,
client_id = default_azure_cli_client_id(),
...
)storageaccountA character string specifying the Azure Storage account name.
filesystemA character string specifying the filesystem (container) name.
scopeA character string specifying the OAuth2 scope. Defaults to
default_azure_scope("azure_storage").
endpoint_suffixA character string specifying the Azure
Storage DFS endpoint suffix. Defaults to
default_storage_endpoint().
providerAn optional credential provider object that inherits from
Credential or DefaultCredential. If provided, chain is ignored.
chainA credential_chain instance for authentication. If NULL, a default credential chain will be created using DefaultCredential.
tenant_idA character string specifying the Azure tenant ID. Passed to
DefaultCredential when chain is NULL.
client_idA character string specifying the Azure client ID. Passed to
DefaultCredential when chain is NULL. Defaults to
default_azure_cli_client_id().
...Additional arguments passed to the parent api_client constructor.
A new api_storage_client object
download_file()
Download a file from the filesystem
api_storage_client$download_file(path, dest = NULL)
pathA character string specifying the file path within the filesystem.
destA character string specifying the local destination path.
Defaults to a temporary file via tempfile().
The local path the file was written to (invisibly).
get_access_control()
Get the access control list (ACL) for a file or directory
api_storage_client$get_access_control(dataset, upn = FALSE)
datasetA character string specifying the file or directory path within the filesystem.
upnA logical value. If TRUE, user principal names (UPN) are
returned in the x-ms-owner, x-ms-group, and x-ms-acl response
headers instead of object IDs. Defaults to FALSE.
A data.frame with columns group_id and permission, one row per
named group entry in the x-ms-acl response header.
list_files()
List files and directories in a path
api_storage_client$list_files(path = "", recursive = FALSE, ...)
pathA character string specifying the directory path to list.
Use empty string or NULL for the root directory. Defaults to "".
recursiveA logical value indicating whether to list files recursively.
Defaults to FALSE.
...Additional query parameters to pass to the API.
A data.frame (or data.table if available) with one row per file or
directory. Columns include name, contentLength, lastModified, etc.
All pages are fetched transparently; the result is the complete listing.
clone()
The objects of this class are cloneable with this method.
api_storage_client$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # Create a storage client storage <- api_storage_client$new( storageaccount = "mystorageaccount", filesystem = "mycontainer" ) # List files in the root directory files <- storage$list_files() # List files in a specific path files <- storage$list_files(path = "data/folder1") # List files recursively files <- storage$list_files(path = "data", recursive = TRUE) ## End(Not run)## Not run: # Create a storage client storage <- api_storage_client$new( storageaccount = "mystorageaccount", filesystem = "mycontainer" ) # List files in the root directory files <- storage$list_files() # List files in a specific path files <- storage$list_files(path = "data/folder1") # List files recursively files <- storage$list_files(path = "data", recursive = TRUE) ## End(Not run)
Authenticates a user through the OAuth 2.0 authorization code flow. This flow opens a web browser for the user to sign in.
The authorization code flow is the standard OAuth 2.0 flow for interactive authentication. It requires a web browser and is suitable for applications where the user can interact with a browser window.
The credential supports token caching to avoid repeated authentication. Tokens can be cached to disk or in memory. A redirect URI is required for the OAuth flow to complete.
azr::Credential -> azr::InteractiveCredential -> AuthCodeCredential
.redirect_uriCharacter string specifying the redirect URI registered with the application.
new()
Create a new authorization code credential
AuthCodeCredential$new( scope = NULL, tenant_id = NULL, client_id = default_azure_cli_client_id(), use_cache = "disk", offline = TRUE, redirect_uri = default_redirect_uri(), allow_prompt = TRUE, use_refresh_token = TRUE, interactive = NULL )
scopeA character string specifying the OAuth2 scope. Defaults to NULL.
tenant_idA character string specifying the Azure Active Directory
tenant ID. Defaults to NULL.
client_idA character string specifying the application (client) ID. Defaults to the Azure CLI public client ID.
use_cacheA character string specifying the cache type. Use "disk"
for disk-based caching or "memory" for in-memory caching. Defaults to "disk".
offlineA logical value indicating whether to request offline access
(refresh tokens). Defaults to TRUE.
redirect_uriA character string specifying the redirect URI registered
with the application. Defaults to default_redirect_uri().
allow_promptA logical value indicating whether this credential
may prompt the user (vs. only reading cached/refresh tokens). Defaults
to TRUE.
use_refresh_tokenA logical value indicating whether to use the login flow
(acquire tokens via refresh token exchange). Defaults to TRUE.
interactiveDeprecated. Use allow_prompt instead.
A new AuthCodeCredential object
clone()
The objects of this class are cloneable with this method.
AuthCodeCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
# AuthCodeCredential requires an interactive session ## Not run: # Create credential with default settings cred <- AuthCodeCredential$new( tenant_id = "your-tenant-id", client_id = "your-client-id", scope = "https://management.azure.com/.default" ) # Get an access token (will open browser for authentication) token <- cred$get_token() # Force reauthentication token <- cred$get_token(reauth = TRUE) # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") req <- cred$req_auth(req) ## End(Not run)# AuthCodeCredential requires an interactive session ## Not run: # Create credential with default settings cred <- AuthCodeCredential$new( tenant_id = "your-tenant-id", client_id = "your-client-id", scope = "https://management.azure.com/.default" ) # Get an access token (will open browser for authentication) token <- cred$get_token() # Force reauthentication token <- cred$get_token(reauth = TRUE) # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") req <- cred$req_auth(req) ## End(Not run)
Retrieves information about the currently active Azure CLI account and
subscription. This function runs az account show and parses the JSON
output into an R list.
az_cli_account_show(timeout = 10L)az_cli_account_show(timeout = 10L)
timeout |
An integer specifying the timeout in seconds for the Azure
CLI command. Defaults to |
The function returns details about the current Azure subscription including:
Subscription ID and name
Tenant ID
Account state (e.g., "Enabled")
User information
Cloud environment details
A list containing the account information from Azure CLI
Reads the MSAL token cache file (msal_token_cache.json) from the Azure
configuration directory and returns a matching access token as an
httr2::oauth_token() object.
az_cli_get_cached_token( scope = NULL, tenant_id = NULL, client_id = NULL, config_dir = default_azure_config_dir() )az_cli_get_cached_token( scope = NULL, tenant_id = NULL, client_id = NULL, config_dir = default_azure_config_dir() )
scope |
A character string specifying the OAuth2 scope to filter tokens.
If |
tenant_id |
A character string specifying the tenant ID to filter tokens.
If |
client_id |
A character string specifying the client ID to filter tokens.
If |
config_dir |
A character string specifying the Azure configuration
directory. Defaults to |
The MSAL token cache is a JSON file maintained by the Azure CLI that stores access tokens and refresh tokens. This function reads cached access tokens directly from the file without invoking the Azure CLI, which can be useful in environments where the CLI is slow or unavailable but tokens have been previously cached.
When multiple tokens are found, the function selects the token that expires
latest. If scope is provided, only tokens matching that scope/resource are
returned.
An httr2::oauth_token() object containing:
access_token: The OAuth2 access token string
token_type: The type of token (typically "Bearer")
.expires_at: POSIXct timestamp when the token expires
Retrieves an access token from Azure CLI using the az account get-access-token
command. This is a lower-level function that directly interacts with the Azure
CLI to obtain OAuth2 tokens.
az_cli_get_token(scope, tenant_id = NULL, timeout = 10L)az_cli_get_token(scope, tenant_id = NULL, timeout = 10L)
scope |
A character string specifying the OAuth2 scope for which to
request the access token (e.g., |
tenant_id |
A character string specifying the Azure Active Directory
tenant ID. If |
timeout |
A numeric value specifying the timeout in seconds for the
Azure CLI process. Defaults to |
This function executes the Azure CLI command and parses the JSON response to create an httr2 OAuth token object. The token includes the access token, token type, and expiration time.
An httr2::oauth_token() object containing:
access_token: The OAuth2 access token string
token_type: The type of token (typically "Bearer")
.expires_at: POSIXct timestamp when the token expires
Checks whether the user is currently logged in to Azure CLI by attempting to retrieve account information.
az_cli_is_login(timeout = 10L)az_cli_is_login(timeout = 10L)
timeout |
A numeric value specifying the timeout in seconds for the
Azure CLI command. Defaults to |
A logical value: TRUE if the user is logged in, FALSE otherwise
Performs an interactive Azure CLI login using device code flow. Automatically captures the device code, copies it to the clipboard, and opens the browser for authentication.
az_cli_login(tenant_id = NULL, use_bridge = FALSE, verbose = FALSE)az_cli_login(tenant_id = NULL, use_bridge = FALSE, verbose = FALSE)
tenant_id |
A character string specifying the Azure Active Directory
tenant ID to authenticate against. If |
use_bridge |
A logical value indicating whether to use the device code
bridge webpage. If |
verbose |
A logical value indicating whether to print detailed process
output to the console, including error messages from the Azure CLI process.
If |
This function runs az login --use-device-code, monitors the output
to extract the device code, copies it to the clipboard, and opens
the authentication URL in the default browser.
Invisibly returns the exit status (0 for success, non-zero for failure)
Logs out from Azure CLI by removing all stored credentials and account
information. This function runs az logout.
az_cli_logout()az_cli_logout()
After logging out, you will need to run az_cli_login() again to
authenticate and use Azure CLI credentials.
Invisibly returns NULL
An S7 class holding an ordered collection of azr_dataset objects with
unique names.
A catalog can be indexed by dataset name with [[, and supports names()
and length().
azr_catalog(datasets = list())azr_catalog(datasets = list())
datasets |
A list of azr_dataset objects. |
An azr_catalog S7 object.
ds <- azr_dataset( name = "orders", scheme = "abfss", container = "raw", storage = list(prod = "stprod001"), path = "sales/orders", format = "delta" ) catalog <- azr_catalog(datasets = list(ds)) catalog[["orders"]] names(catalog) length(catalog)ds <- azr_dataset( name = "orders", scheme = "abfss", container = "raw", storage = list(prod = "stprod001"), path = "sales/orders", format = "delta" ) catalog <- azr_catalog(datasets = list(ds)) catalog[["orders"]] names(catalog) length(catalog)
Reads a JSON file describing a collection of datasets and returns an azr_catalog.
The expected JSON shape:
{
"datasets": [
{
"name": "sales_orders",
"scheme": "abfss",
"container": "raw",
"storage": { "prod": "stprod001", "preprod": "stpreprod001" },
"path": "sales/orders",
"format": "delta"
}
]
}
azr_catalog_read(json_file)azr_catalog_read(json_file)
json_file |
Path to a JSON file. |
An azr_catalog object.
Writes an azr_catalog to a JSON file in the shape expected by
azr_catalog_read().
azr_catalog_write(catalog, json_file)azr_catalog_write(catalog, json_file)
catalog |
An azr_catalog object. |
json_file |
Path to write the JSON file to. |
json_file, invisibly.
An S7 class representing an Azure Storage dataset bound to one or more
storage accounts keyed by environment tier (e.g. "prod", "preprod").
azr_dataset( name = character(0), scheme = character(0), container = character(0), storage = list(), path = character(0), format = character(0), endpoint_suffix = "core.windows.net" )azr_dataset( name = character(0), scheme = character(0), container = character(0), storage = list(), path = character(0), format = character(0), endpoint_suffix = "core.windows.net" )
name |
Dataset name. Must match |
scheme |
Hadoop filesystem scheme: |
container |
Container (filesystem) name. |
storage |
Non-empty named list mapping tier name to storage account. |
path |
Path within the container, without leading or trailing |
format |
Dataset format: |
endpoint_suffix |
Storage endpoint suffix. Defaults to
|
Only the storage account varies by tier: container, path,
endpoint_suffix, and scheme are shared across all tiers in storage.
If an environment also needs a different container, path, or sovereign
cloud, model it as a separate azr_dataset.
path must be non-empty, so a dataset cannot point at a container root.
An azr_dataset S7 object.
azr_dataset from a full Azure Storage URIParses an Azure Storage URI using parse_storage_path() and constructs an
azr_dataset. The parsed storage account is bound to tier in storage.
azr_dataset_from_uri( uri, name = NULL, format = NULL, tier = opts$get("dataset_tier"), storage = NULL )azr_dataset_from_uri( uri, name = NULL, format = NULL, tier = opts$get("dataset_tier"), storage = NULL )
uri |
Full Azure Storage URI, such as
|
name |
Dataset name. If |
format |
Dataset format. If |
tier |
Environment tier for the storage account parsed from |
storage |
Optional named list mapping additional tiers to storage
accounts. The account from |
An azr_dataset object.
An S7 class representing the resolved information required by an external reader to load an Azure Storage dataset. Use as.list() to convert it to a plain R list.
azr_dataset_manifest( name = character(0), uri = character(0), format = character(0) )azr_dataset_manifest( name = character(0), uri = character(0), format = character(0) )
name |
Dataset name, carried over from the source azr_dataset. |
uri |
Resolved Azure Storage URI. |
format |
Dataset format. See azr_dataset for supported values. |
An azr_dataset_manifest S7 object.
azr_dataset or look one up in an azr_catalog
Build a URI for an azr_dataset or look one up in an azr_catalog
azr_dataset_uri(x, ...)azr_dataset_uri(x, ...)
x |
An azr_dataset or azr_catalog object. |
... |
Additional arguments passed to methods:
|
For an azr_dataset, or an azr_catalog with name supplied, a
character scalar URI. For an azr_catalog without name, a named
character vector of URIs keyed by dataset name.
ds <- azr_dataset( name = "orders", scheme = "abfss", container = "raw", storage = list(prod = "stprod001"), path = "sales/orders", format = "delta" ) azr_dataset_uri(ds, tier = "prod") catalog <- azr_catalog(datasets = list(ds)) azr_dataset_uri(catalog, tier = "prod", name = "orders") azr_dataset_uri(catalog, tier = "prod")ds <- azr_dataset( name = "orders", scheme = "abfss", container = "raw", storage = list(prod = "stprod001"), path = "sales/orders", format = "delta" ) azr_dataset_uri(ds, tier = "prod") catalog <- azr_catalog(datasets = list(ds)) azr_dataset_uri(catalog, tier = "prod", name = "orders") azr_dataset_uri(catalog, tier = "prod")
Creates a configured client for the Microsoft Graph API with authentication and versioned endpoints (v1.0 and beta). This function returns an api_service object that provides access to Microsoft Graph resources through versioned endpoints.
azr_graph_client( scopes = ".default", endpoint = default_graph_endpoint(), ..., chain = NULL )azr_graph_client( scopes = ".default", endpoint = default_graph_endpoint(), ..., chain = NULL )
scopes |
A character string specifying the OAuth2 scope suffix to be appended
to the Graph API URL. Defaults to |
endpoint |
A character string specifying the Microsoft Graph endpoint
host (e.g. |
... |
Additional arguments passed to the api_client constructor. |
chain |
A credential_chain instance for authentication. If NULL, a default credential chain will be created using DefaultCredential. |
The function creates a Microsoft Graph service using these components:
api_client: A general-purpose API client configured with the Graph API
host URL (https://graph.microsoft.com) and authentication provider.
api_graph_resource: A specialized resource class that extends api_resource with Microsoft Graph-specific methods. Currently implements:
me(select = NULL): Fetch the current user's profile. The select parameter
accepts a character vector of properties to return (e.g., c("displayName", "mail")).
api_service: A service container that combines the client and resources
with versioned endpoints (v1.0 and beta). The service is locked using
lockEnvironment() to prevent modification after creation.
An api_service object configured for Microsoft Graph API with
v1.0 and beta endpoints. The object is locked using lockEnvironment() to
prevent modification after creation. Access endpoints via $v1.0 or $beta.
## Not run: # Create a Graph API client with default credentials graph <- azr_graph_client() # Fetch current user profile from v1.0 endpoint me <- graph$v1.0$me() # Fetch specific properties using OData $select me <- graph$v1.0$me(select = c("displayName", "mail", "userPrincipalName")) # Use beta endpoint for preview features me_beta <- graph$beta$me(select = c("displayName", "mail")) # Create with a custom credential chain custom_chain <- credential_chain( AzureCLICredential$new(scope = "https://graph.microsoft.com/.default") ) graph <- azr_graph_client(chain = custom_chain) # Use specific scopes instead of .default graph <- azr_graph_client(scopes = "User.Read Mail.Read") ## End(Not run)## Not run: # Create a Graph API client with default credentials graph <- azr_graph_client() # Fetch current user profile from v1.0 endpoint me <- graph$v1.0$me() # Fetch specific properties using OData $select me <- graph$v1.0$me(select = c("displayName", "mail", "userPrincipalName")) # Use beta endpoint for preview features me_beta <- graph$beta$me(select = c("displayName", "mail")) # Create with a custom credential chain custom_chain <- credential_chain( AzureCLICredential$new(scope = "https://graph.microsoft.com/.default") ) graph <- azr_graph_client(chain = custom_chain) # Use specific scopes instead of .default graph <- azr_graph_client(scopes = "User.Read Mail.Read") ## End(Not run)
A convenience wrapper around api_log_analytics_client that creates a configured client for the Azure Log Analytics query REST API, bound to a specific subscription and resource group.
azr_logs_client( subscription_id, resource_id, endpoint = default_log_analytics_endpoint(), api_version = "v1", scope = default_azure_scope("azure_log_analytics"), provider = NULL, chain = default_credential_chain(), tenant_id = default_azure_tenant_id(), ... )azr_logs_client( subscription_id, resource_id, endpoint = default_log_analytics_endpoint(), api_version = "v1", scope = default_azure_scope("azure_log_analytics"), provider = NULL, chain = default_credential_chain(), tenant_id = default_azure_tenant_id(), ... )
subscription_id |
A character string specifying the Azure subscription ID (GUID) to bind the client to. |
resource_id |
A character string specifying the Azure resource group name to bind the client to. |
endpoint |
A character string specifying the Log Analytics query
endpoint host. Defaults to |
api_version |
A character string specifying the API version segment.
Defaults to |
scope |
A character string specifying the OAuth2 scope. Defaults to
|
provider |
An optional credential provider object that inherits from
|
chain |
A credential_chain instance for authentication. Defaults to
|
tenant_id |
A character string specifying the Azure tenant ID. Defaults
to |
... |
Additional arguments passed to the api_log_analytics_client constructor. |
An api_log_analytics_client object.
## Not run: la <- azr_logs_client( subscription_id = "00000000-0000-0000-0000-000000000000", resource_id = "my-resource-group" ) la$query( query = "AzureDiagnostics | take 10", timespan = "PT12H", scope = "hierarchy" ) ## End(Not run)## Not run: la <- azr_logs_client( subscription_id = "00000000-0000-0000-0000-000000000000", resource_id = "my-resource-group" ) la$query( query = "AzureDiagnostics | take 10", timespan = "PT12H", scope = "hierarchy" ) ## End(Not run)
Prints every azr option and invisibly returns a
data.frame of the same information. The resolution order is: a value set
for the session -> options(azr.*) -> the option's environment variable ->
a built-in default.
| Name | R option | Env variable | Default | Description |
"chain_verbose" |
azr.chain_verbose |
AZR_CHAIN_VERBOSE |
FALSE |
Verbose credential-chain discovery |
"api_verbose" |
azr.api_verbose |
AZR_API_VERBOSE |
FALSE |
Verbose api_client request/response |
"cli_auto_login" |
azr.cli_auto_login |
AZR_CLI_AUTO_LOGIN |
FALSE |
Auto Azure CLI login |
"dataset_tier" |
azr.dataset_tier |
AZR_DATASET_TIER |
"prod" |
Default tier for azr_dataset_uri()
|
azr_options(mask = TRUE)azr_options(mask = TRUE)
mask |
Logical. When |
Invisibly, a data.frame with columns option, value, source,
env_var, env_value, and default.
azr_options() # Set for the session options(azr.chain_verbose = TRUE) # Or via environment variable (before starting R) # AZR_CHAIN_VERBOSE=trueazr_options() # Set for the session options(azr.chain_verbose = TRUE) # Or via environment variable (before starting R) # AZR_CHAIN_VERBOSE=true
azr_dataset or azr_catalog
Like azr_dataset_uri(), but each entry also carries the dataset's format,
which together are what a reader (e.g. sparklyr::spark_read_source())
needs to load a dataset.
azr_resolve_dataset(x, ...)azr_resolve_dataset(x, ...)
x |
An azr_dataset or azr_catalog object. |
... |
Additional arguments passed to methods:
|
For an azr_dataset, or an azr_catalog with name supplied, an
azr_dataset_manifest. For an azr_catalog without name, a named list
of azr_dataset_manifest objects, keyed by dataset name.
ds <- azr_dataset( name = "orders", scheme = "abfss", container = "raw", storage = list(prod = "stprod001"), path = "sales/orders", format = "delta" ) azr_resolve_dataset(ds, tier = "prod") catalog <- azr_catalog(datasets = list(ds)) azr_resolve_dataset(catalog, tier = "prod")ds <- azr_dataset( name = "orders", scheme = "abfss", container = "raw", storage = list(prod = "stprod001"), path = "sales/orders", format = "delta" ) azr_resolve_dataset(ds, tier = "prod") catalog <- azr_catalog(datasets = list(ds)) azr_resolve_dataset(catalog, tier = "prod")
A convenience wrapper around api_storage_client that creates a configured client for Azure Data Lake Storage Gen2 (ADLS Gen2) REST API operations.
azr_storage_client( storageaccount, filesystem, endpoint_suffix = default_storage_endpoint(), scope = default_azure_scope("azure_storage"), provider = NULL, chain = default_credential_chain(), tenant_id = default_azure_tenant_id(), ... )azr_storage_client( storageaccount, filesystem, endpoint_suffix = default_storage_endpoint(), scope = default_azure_scope("azure_storage"), provider = NULL, chain = default_credential_chain(), tenant_id = default_azure_tenant_id(), ... )
storageaccount |
A character string specifying the Azure Storage account name. |
filesystem |
A character string specifying the filesystem (container) name. |
endpoint_suffix |
A character string specifying the Azure
Storage DFS endpoint suffix. Defaults to
|
scope |
A character string specifying the OAuth2 scope. Defaults to
|
provider |
An optional credential provider object that inherits from
|
chain |
A credential_chain instance for authentication. Defaults to
|
tenant_id |
A character string specifying the Azure tenant ID. Defaults to
|
... |
Additional arguments passed to the api_storage_client constructor. |
An api_storage_client object.
## Not run: # Create a storage client with default credentials storage <- azr_storage_client( storageaccount = "mystorageaccount", filesystem = "mycontainer" ) # Create a storage client with a specific tenant storage <- azr_storage_client( storageaccount = "mystorageaccount", filesystem = "mycontainer", tenant_id = "00000000-0000-0000-0000-000000000000" ) ## End(Not run)## Not run: # Create a storage client with default credentials storage <- azr_storage_client( storageaccount = "mystorageaccount", filesystem = "mycontainer" ) # Create a storage client with a specific tenant storage <- azr_storage_client( storageaccount = "mystorageaccount", filesystem = "mycontainer", tenant_id = "00000000-0000-0000-0000-000000000000" ) ## End(Not run)
Builds the named list of Hadoop fs.azure.* configuration keys required to
authenticate Apache Spark (or any ABFS-compatible runtime) against Azure Data
Lake Storage Gen2. With the default prefix = "spark.hadoop" the returned
list is ready to pass to SparkSession.builder.config(), a Databricks
cluster's Spark config, or spark-defaults.conf — Spark forwards
spark.hadoop.* keys to Hadoop at FileSystem-init time. Pass prefix = NULL
to get the raw fs.azure.* form, suitable for core-site.xml or a
sparkContext.hadoopConfiguration().set(...) call.
Five authentication types are supported:
"client_secret"Service principal with client secret
(ClientCredsTokenProvider).
"refresh_token"Delegated user identity via a refresh token
(RefreshTokenBasedTokenProvider).
"workload_identity"Kubernetes workload identity via a projected
service-account token file (WorkloadIdentityTokenProvider). Requires
Hadoop 3.4.1+ / 3.5.0+ (HADOOP-18610). Stock Apache Spark 3.5 ships with
Hadoop 3.3.4, so this requires Spark 4.x or a runtime that bundles a
newer Hadoop (Databricks 14.3+ LTS, Synapse 3.4+).
"managed_identity"Azure managed identity via IMDS
(MsiTokenProvider). For Azure VMs, App Service, Functions, Container
Instances, and AKS pods without workload identity. Pass client_id to
select a user-assigned identity.
"shared_key"Storage account key (SharedKey auth type). Requires
storage_account and account_key; cannot be configured globally.
Sovereign clouds (Azure US Government, Azure China) are supported by passing
the matching authority_host (e.g. "login.microsoftonline.us"). The
storage endpoint suffix used to scope keys to a specific account is derived
from the authority host. Alternatively, pass a fully qualified
storage_account like "myacct.dfs.core.usgovcloudapi.net" to override the
derivation entirely.
azure_spark_storage_conf( auth_type = c("refresh_token", "client_secret", "workload_identity", "managed_identity", "shared_key"), storage_account = NULL, tenant_id = default_azure_tenant_id(), client_id = default_azure_client_id(), client_secret = default_azure_client_secret(), refresh_token = default_refresh_token(), account_key = NULL, token_file = default_federated_token_file(), authority_host = default_azure_host(), prefix = "spark.hadoop" )azure_spark_storage_conf( auth_type = c("refresh_token", "client_secret", "workload_identity", "managed_identity", "shared_key"), storage_account = NULL, tenant_id = default_azure_tenant_id(), client_id = default_azure_client_id(), client_secret = default_azure_client_secret(), refresh_token = default_refresh_token(), account_key = NULL, token_file = default_federated_token_file(), authority_host = default_azure_host(), prefix = "spark.hadoop" )
auth_type |
Authentication type. One of |
storage_account |
Optional storage account, either a short name
( |
tenant_id |
Azure tenant ID. Defaults to |
client_id |
Azure application (client) ID. Defaults to
|
client_secret |
Client secret. Required when
|
refresh_token |
Refresh token. Required when
|
account_key |
Storage account access key. Required when
|
token_file |
Path to the federated service-account token file. Used
only when |
authority_host |
Azure authority host (without scheme), e.g.
|
prefix |
Optional prefix prepended to every returned key. Defaults to
|
A named list of class azure_spark_config. With the default
prefix, keys look like spark.hadoop.fs.azure.account.*; with
prefix = NULL, keys look like fs.azure.account.*. The print method
redacts sensitive values (account key, client secret, refresh token).
# Global client-secret config (applies to all storage accounts) azure_spark_storage_conf( auth_type = "client_secret", tenant_id = "my-tenant", client_id = "my-client", client_secret = "my-secret" ) # Scoped to a specific storage account azure_spark_storage_conf( auth_type = "client_secret", storage_account = "mystorageaccount", tenant_id = "my-tenant", client_id = "my-client", client_secret = "my-secret" ) # Azure US Government sovereign cloud azure_spark_storage_conf( auth_type = "client_secret", storage_account = "mystorageaccount", tenant_id = "my-tenant", client_id = "my-client", client_secret = "my-secret", authority_host = "login.microsoftonline.us" ) ## Not run: # Workload identity on AKS (reads env vars automatically) azure_spark_storage_conf(auth_type = "workload_identity") # Managed identity on an Azure VM (system-assigned) azure_spark_storage_conf(auth_type = "managed_identity") ## End(Not run)# Global client-secret config (applies to all storage accounts) azure_spark_storage_conf( auth_type = "client_secret", tenant_id = "my-tenant", client_id = "my-client", client_secret = "my-secret" ) # Scoped to a specific storage account azure_spark_storage_conf( auth_type = "client_secret", storage_account = "mystorageaccount", tenant_id = "my-tenant", client_id = "my-client", client_secret = "my-secret" ) # Azure US Government sovereign cloud azure_spark_storage_conf( auth_type = "client_secret", storage_account = "mystorageaccount", tenant_id = "my-tenant", client_id = "my-client", client_secret = "my-secret", authority_host = "login.microsoftonline.us" ) ## Not run: # Workload identity on AKS (reads env vars automatically) azure_spark_storage_conf(auth_type = "workload_identity") # Managed identity on an Azure VM (system-assigned) azure_spark_storage_conf(auth_type = "managed_identity") ## End(Not run)
Authenticates using the Azure CLI (az) command-line tool. This credential
requires the Azure CLI to be installed and the user to be logged in via
az login.
The credential uses the az account get-access-token command to retrieve
access tokens. It will use the currently active Azure CLI account and
subscription unless a specific tenant is specified.
azr::Credential -> AzureCLICredential
auto_loginLogical indicating whether to check login status and perform login if needed
use_bridgeLogical indicating whether to use the device code bridge webpage during interactive login
.process_timeoutTimeout in seconds for Azure CLI command execution
new()
Create a new Azure CLI credential
AzureCLICredential$new(
scope = NULL,
tenant_id = NULL,
process_timeout = NULL,
auto_login = opts$get("cli_auto_login"),
use_bridge = TRUE,
interactive = NULL
)scopeA character string specifying the OAuth2 scope. Defaults to
NULL, which uses the scope set during initialization.
tenant_idA character string specifying the Azure Active Directory
tenant ID. Defaults to NULL, which uses the default tenant from Azure CLI.
process_timeoutA numeric value specifying the timeout in seconds
for the Azure CLI process. Defaults to 10.
auto_loginA logical value indicating whether get_token() may
launch az login when the user is not logged in. Defaults to the
cli_auto_login option (options(azr.cli_auto_login = ...) or
AZR_CLI_AUTO_LOGIN); see azr_options().
use_bridgeA logical value indicating whether to use the device code
bridge webpage during login. If TRUE, launches an intermediate local webpage
that displays the device code and facilitates copy-pasting before redirecting
to the Microsoft device login page. Only used when auto_login = TRUE. Defaults to TRUE.
interactiveDeprecated. Use auto_login instead.
A new AzureCLICredential object
get_token()
Get an access token from Azure CLI
AzureCLICredential$get_token(scope = NULL)
scopeA character string specifying the OAuth2 scope. If NULL,
uses the scope specified during initialization.
An httr2::oauth_token() object containing the access token
req_auth()
Add authentication to an httr2 request
AzureCLICredential$req_auth(req, scope = NULL)
reqAn httr2::request() object
scopeA character string specifying the OAuth2 scope. If NULL,
uses the scope specified during initialization.
The request object with authentication header added
account_show()
Show the currently active Azure CLI account information
AzureCLICredential$account_show(timeout = NULL)
timeoutA numeric value specifying the timeout in seconds for the
Azure CLI command. If NULL, uses the process timeout specified during
initialization.
A list containing the account information from Azure CLI
login()
Perform Azure CLI login using device code flow
AzureCLICredential$login()
Invisibly returns the exit status (0 for success, non-zero for failure)
is_interactive()
Check if the credential requires user interaction
AzureCLICredential$is_interactive()
Logical indicating whether this credential is interactive
logout()
Log out from Azure CLI
AzureCLICredential$logout()
Invisibly returns NULL
clone()
The objects of this class are cloneable with this method.
AzureCLICredential$clone(deep = FALSE)
deepWhether to make a deep clone.
# 'az login' must have been executed successfully for these examples to work. ## Not run: # Create credential with default settings cred <- AzureCLICredential$new() # Create credential with specific scope and tenant cred <- AzureCLICredential$new( scope = "https://management.azure.com/.default", tenant_id = "your-tenant-id" ) # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)# 'az login' must have been executed successfully for these examples to work. ## Not run: # Create credential with default settings cred <- AzureCLICredential$new() # Create credential with specific scope and tenant cred <- AzureCLICredential$new( scope = "https://management.azure.com/.default", tenant_id = "your-tenant-id" ) # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)
Creates the default chain of credentials to attempt for cached token retrieval. The credentials are tried in order until one returns a valid cached token. The default chain includes:
Authorization Code Credential - Cached tokens from browser-based authentication
Device Code Credential - Cached tokens from device code flow
Azure CLI Credential - Cached tokens from Azure CLI authentication
cached_token_credential_chain(scope = NULL, tenant_id = NULL, client_id = NULL)cached_token_credential_chain(scope = NULL, tenant_id = NULL, client_id = NULL)
scope |
Optional character string specifying the authentication scope. |
tenant_id |
Optional character string specifying the tenant ID for authentication. |
client_id |
Optional character string specifying the client ID for authentication. |
A credential_chain object containing the sequence of
credential providers to check for cached tokens.
CachedTokenCredential, credential_chain()
A credential class that retrieves tokens from the cache only, without triggering interactive authentication flows. This is useful for non-interactive sessions where you want to use previously cached tokens from DeviceCode or AuthCode credentials.
This credential attempts to retrieve cached tokens from a chain of interactive credentials (AuthCode and DeviceCode by default). It will not prompt for new authentication - it only returns tokens that are already cached.
This is particularly useful for:
Non-interactive R sessions (e.g., scheduled scripts, CI/CD)
Scenarios where you've previously authenticated interactively and want to reuse those cached tokens
.scopeCharacter string specifying the authentication scope.
.tenant_idCharacter string specifying the tenant ID.
.client_idCharacter string specifying the client ID.
.chainList of credential classes to attempt for cached tokens.
providerLazily initialized credential provider
new()
Create a new CachedTokenCredential object
CachedTokenCredential$new( scope = NULL, tenant_id = NULL, client_id = NULL, chain = NULL )
scopeOptional character string specifying the authentication scope.
tenant_idOptional character string specifying the tenant ID for authentication.
client_idOptional character string specifying the client ID for authentication.
chainA list of credential classes to attempt for cached tokens. Defaults to AuthCodeCredential and DeviceCodeCredential.
A new CachedTokenCredential object
get_token()
Get an access token from the cache
CachedTokenCredential$get_token()
An httr2::oauth_token() object containing the access token
req_auth()
Add authentication to an httr2 request
CachedTokenCredential$req_auth(req)
reqAn httr2::request() object
The request object with authentication configured
clone()
The objects of this class are cloneable with this method.
CachedTokenCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # Create credential with default settings cred <- CachedTokenCredential$new( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id" ) # Get a cached token (will fail if no cached token exists) token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://graph.microsoft.com/v1.0/me") req <- cred$req_auth(req) ## End(Not run)## Not run: # Create credential with default settings cred <- CachedTokenCredential$new( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id" ) # Get a cached token (will fail if no cached token exists) token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://graph.microsoft.com/v1.0/me") req <- cred$req_auth(req) ## End(Not run)
Authenticates a service principal using a client ID and client secret. This credential is commonly used for application authentication in Azure.
The credential uses the OAuth 2.0 client credentials flow to obtain access tokens. It requires a registered Azure AD application with a client secret. The client secret should be stored securely and not hard-coded in scripts.
azr::Credential -> ClientSecretCredential
validate()
Validate the credential configuration
ClientSecretCredential$validate()
Checks that the client secret is provided and not NA or NULL. Calls the parent class validation method.
get_token()
Get an access token using client credentials flow
ClientSecretCredential$get_token()
An httr2::oauth_token() object containing the access token
req_auth()
Add OAuth client credentials authentication to an httr2 request
ClientSecretCredential$req_auth(req)
reqAn httr2::request() object
The request object with OAuth client credentials authentication configured
clone()
The objects of this class are cloneable with this method.
ClientSecretCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
# Create credential with client secret cred <- ClientSecretCredential$new( tenant_id = "your-tenant-id", client_id = "your-client-id", client_secret = "your-client-secret", scope = "https://management.azure.com/.default" ) # To get a token or authenticate a request it requires # valid 'client_id' and 'client_secret' credentials, # otherwise it will return an error. ## Not run: # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)# Create credential with client secret cred <- ClientSecretCredential$new( tenant_id = "your-tenant-id", client_id = "your-client-id", client_secret = "your-client-secret", scope = "https://management.azure.com/.default" ) # To get a token or authenticate a request it requires # valid 'client_id' and 'client_secret' credentials, # otherwise it will return an error. ## Not run: # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)
Creates a custom chain of credential providers to attempt during authentication. Credentials are tried in the order they are provided until one successfully authenticates. This allows you to customize the authentication flow beyond the default credential chain.
credential_chain(...)credential_chain(...)
... |
Named chain entries. Each entry must be either a credential class
(e.g., The names are used for identification purposes. Constructing a chain performs no authentication. |
A credential_chain object containing the specified sequence
of credential providers.
default_credential_chain(), get_token_provider()
# Create a custom chain with only non-interactive credentials custom_chain <- credential_chain( client_secret = ClientSecretCredential, azure_cli = AzureCLICredential ) # Use the custom chain to get a token ## Not run: token <- get_token( scope = "https://graph.microsoft.com/.default", chain = custom_chain ) ## End(Not run)# Create a custom chain with only non-interactive credentials custom_chain <- credential_chain( client_secret = ClientSecretCredential, azure_cli = AzureCLICredential ) # Use the custom chain to get a token ## Not run: token <- get_token( scope = "https://graph.microsoft.com/.default", chain = custom_chain ) ## End(Not run)
Returns Microsoft's public Azure CLI client ID
(04b07795-8ddb-461a-bbee-02f9e1bf7b46). This is the default client_id
used by interactive credentials when no application-specific client ID is
configured.
default_azure_cli_client_id()default_azure_cli_client_id()
A character string with the Azure CLI client ID
default_azure_cli_client_id()default_azure_cli_client_id()
Retrieves the Azure client ID in priority order:
AZURE_CLIENT_ID environment variable
Built-in fallback (Microsoft's public Azure CLI client ID)
default_azure_client_id()default_azure_client_id()
A character string with the client ID
default_azure_client_id()default_azure_client_id()
Retrieves the Azure client secret from the AZURE_CLIENT_SECRET environment
variable, or returns NA_character_ if not set.
default_azure_client_secret()default_azure_client_secret()
A character string with the client secret, or NA_character_ if not set
default_azure_client_secret()default_azure_client_secret()
Retrieves the Azure configuration directory from the AZURE_CONFIG_DIR
environment variable, or falls back to the platform-specific default.
default_azure_config_dir()default_azure_config_dir()
A character string with the Azure configuration directory path
default_azure_config_dir()default_azure_config_dir()
Retrieves the Azure authority host in priority order:
AZURE_AUTHORITY_HOST environment variable
Built-in fallback (login.microsoftonline.com)
default_azure_host()default_azure_host()
A character string with the authority host URL
default_azure_host()default_azure_host()
Creates an httr2::oauth_client() configured for Azure authentication.
default_azure_oauth_client( client_id = default_azure_client_id(), client_secret = NULL, name = NULL )default_azure_oauth_client( client_id = default_azure_client_id(), client_secret = NULL, name = NULL )
client_id |
A character string specifying the client ID. Defaults to
|
client_secret |
A character string specifying the client secret. Defaults
to |
name |
A character string specifying the client name. Defaults to |
An httr2::oauth_client() object
client <- default_azure_oauth_client() client <- default_azure_oauth_client( client_id = "my-client-id", client_secret = "my-secret" )client <- default_azure_oauth_client() client <- default_azure_oauth_client( client_id = "my-client-id", client_secret = "my-secret" )
Returns the default OAuth scope for a specified Azure resource.
default_azure_scope(resource = "azure_arm")default_azure_scope(resource = "azure_arm")
resource |
A character string specifying the Azure resource. Accepts
both the full name (e.g. |
A character string with the OAuth scope URL
default_azure_scope() default_azure_scope("azure_graph") default_azure_scope("graph") default_azure_scope("storage")default_azure_scope() default_azure_scope("azure_graph") default_azure_scope("graph") default_azure_scope("storage")
Retrieves the Azure tenant ID in priority order:
AZURE_TENANT_ID environment variable
Built-in fallback ("common")
default_azure_tenant_id()default_azure_tenant_id()
A character string with the tenant ID
default_azure_tenant_id()default_azure_tenant_id()
Constructs Azure OAuth 2.0 endpoint URLs for a given tenant and authority host.
default_azure_url( endpoint = NULL, oauth_host = default_azure_host(), tenant_id = default_azure_tenant_id() )default_azure_url( endpoint = NULL, oauth_host = default_azure_host(), tenant_id = default_azure_tenant_id() )
endpoint |
A character string specifying which endpoint URL to return.
Must be one of: |
oauth_host |
A character string specifying the Azure authority host.
Defaults to |
tenant_id |
A character string specifying the tenant ID. Defaults to
|
If endpoint is specified, returns a character string with the URL.
If endpoint is NULL, returns a named list of all endpoint URLs.
# Get all URLs default_azure_url() # Get specific endpoint default_azure_url("token") # Custom tenant default_azure_url("authorize", tenant_id = "my-tenant-id")# Get all URLs default_azure_url() # Get specific endpoint default_azure_url("token") # Custom tenant default_azure_url("authorize", tenant_id = "my-tenant-id")
Creates the default chain of credentials to attempt during authentication. The credentials are tried in order until one successfully authenticates. The default chain includes:
Client Secret Credential - Uses client ID and secret
Authorization Code Credential - Interactive browser-based authentication
Device Code Credential - Interactive device code flow
Azure CLI Credential - Uses credentials from Azure CLI
default_credential_chain()default_credential_chain()
A credential_chain object containing the default sequence of
credential providers.
credential_chain(), get_token_provider()
Retrieves the path to the federated identity token file from the
AZURE_FEDERATED_TOKEN_FILE environment variable, or returns NULL if
not set. Used by WorkloadIdentityCredential.
default_federated_token_file()default_federated_token_file()
A character string with the file path, or NULL if not set
default_federated_token_file()default_federated_token_file()
Returns the default host used to construct Microsoft Graph API URLs
(graph.microsoft.com).
default_graph_endpoint()default_graph_endpoint()
A character string with the Microsoft Graph endpoint host.
default_graph_endpoint()default_graph_endpoint()
Returns the default host used to construct Azure Log Analytics query URLs
(api.loganalytics.io).
default_log_analytics_endpoint()default_log_analytics_endpoint()
A character string with the Log Analytics query endpoint host.
default_log_analytics_endpoint()default_log_analytics_endpoint()
Returns the path to the MSAL token cache file shared by the Azure CLI and
Azure SDKs. Defaults to msal_token_cache.json inside the Azure config
directory (see default_azure_config_dir()).
default_msal_token_cache()default_msal_token_cache()
A character string with the path to the MSAL token cache file.
default_azure_config_dir(), write_msal_token()
A pass-through credential function that performs no authentication. This function returns the request object unchanged, allowing API calls to be made without adding any authentication headers or tokens.
default_non_auth(req)default_non_auth(req)
req |
An |
The same httr2::request() object, unmodified
Constructs a redirect URI for OAuth flows. If the provided URI doesn't have
a port, assigns a random port using httpuv::randomPort().
default_redirect_uri(redirect_uri = httr2::oauth_redirect_uri())default_redirect_uri(redirect_uri = httr2::oauth_redirect_uri())
redirect_uri |
A character string specifying the redirect URI. Defaults
to |
A character string with the redirect URI
default_redirect_uri()default_redirect_uri()
Retrieves the Azure refresh token from the AZURE_REFRESH_TOKEN environment
variable, or returns NULL if not set.
default_refresh_token()default_refresh_token()
A character string with the refresh token, or NULL if not set
default_refresh_token()default_refresh_token()
Converts data.frame results in the parsed response to data.table objects
when the data.table package is available. Applied automatically by
api_client unless overridden via the response_handler argument.
default_response_handler(content)default_response_handler(content)
content |
Parsed response content from an API call. |
The processed content, with any data.frame objects converted to
data.table if the data.table package is installed.
Returns the default endpoint suffix used to construct Azure Data Lake Storage Gen2 DFS URLs.
default_storage_endpoint()default_storage_endpoint()
A character string with the DFS endpoint suffix.
default_storage_endpoint()default_storage_endpoint()
An R6 class that provides lazy initialization of credential providers. The credential provider is created on first access using the default credential chain.
This class wraps the credential discovery process in an R6 object with
a lazily evaluated provider field. The provider is only created when
first accessed, using the same logic as get_token_provider().
.scopeCharacter string specifying the authentication scope.
.tenant_idCharacter string specifying the tenant ID.
.client_idCharacter string specifying the client ID.
.client_secretCharacter string specifying the client secret.
.use_cacheCharacter string indicating the caching strategy.
.offlineLogical indicating whether to request offline access.
.chainA credential chain object for authentication.
.verboseLogical indicating whether to print the resolved provider class.
providerLazily initialized credential provider
new()
Create a new DefaultCredential object
DefaultCredential$new(
scope = NULL,
tenant_id = NULL,
client_id = NULL,
client_secret = NULL,
use_cache = c("disk", "memory"),
offline = TRUE,
chain = default_credential_chain(),
verbose = opts$get("chain_verbose")
)scopeOptional character string specifying the authentication scope.
tenant_idOptional character string specifying the tenant ID for authentication.
client_idOptional character string specifying the client ID for authentication.
client_secretOptional character string specifying the client secret for authentication.
use_cacheCharacter string indicating the caching strategy. Defaults
to "disk". Options include "disk" for disk-based caching or "memory"
for in-memory caching.
offlineLogical. If TRUE, adds 'offline_access' to the scope to request a 'refresh_token'.
Defaults to TRUE.
chainA list of credential objects, where each element must inherit
from the Credential base class. Credentials are attempted in the order
provided until get_token succeeds.
verboseLogical. If TRUE, prints the resolved credential provider
on first access. Defaults to the chain_verbose option
(options(azr.chain_verbose = ...) or AZR_CHAIN_VERBOSE); see
azr_options().
A new DefaultCredential object
get_token()
Get an access token using the credential chain
DefaultCredential$get_token()
An httr2::oauth_token() object containing the access token
req_auth()
Add authentication to an httr2 request
DefaultCredential$req_auth(req)
reqAn httr2::request() object
The request object with authentication configured
clone()
The objects of this class are cloneable with this method.
DefaultCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
# Create a DefaultCredential object cred <- DefaultCredential$new( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id" ) ## Not run: # Get a token (triggers lazy initialization) token <- cred$get_token() # Authenticate a request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) # Or access the provider directly provider <- cred$provider ## End(Not run)# Create a DefaultCredential object cred <- DefaultCredential$new( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id" ) ## Not run: # Get a token (triggers lazy initialization) token <- cred$get_token() # Authenticate a request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) # Or access the provider directly provider <- cred$provider ## End(Not run)
Authenticates a user through the device code flow. This flow is designed for devices that don't have a web browser or have input constraints.
The device code flow displays a code that the user must enter on another device with a web browser to complete authentication. This is ideal for CLI applications, headless servers, or devices without a browser.
The credential supports token caching to avoid repeated authentication. Tokens can be cached to disk or in memory.
azr::Credential -> azr::InteractiveCredential -> DeviceCodeCredential
new()
Create a new device code credential
DeviceCodeCredential$new( scope = NULL, tenant_id = NULL, client_id = default_azure_cli_client_id(), use_cache = "disk", offline = TRUE, allow_prompt = TRUE, use_refresh_token = TRUE, interactive = NULL )
scopeA character string specifying the OAuth2 scope. Defaults to NULL.
tenant_idA character string specifying the Azure Active Directory
tenant ID. Defaults to NULL.
client_idA character string specifying the application (client) ID. Defaults to the Azure CLI public client ID.
use_cacheA character string specifying the cache type. Use "disk"
for disk-based caching or "memory" for in-memory caching. Defaults to "disk".
offlineA logical value indicating whether to request offline access
(refresh tokens). Defaults to TRUE.
allow_promptA logical value indicating whether this credential
may prompt the user (vs. only reading cached/refresh tokens). Defaults
to TRUE.
use_refresh_tokenA logical value indicating whether to use the login flow
(acquire tokens via refresh token exchange). Defaults to TRUE.
interactiveDeprecated. Use allow_prompt instead.
A new DeviceCodeCredential object
clone()
The objects of this class are cloneable with this method.
DeviceCodeCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
# DeviceCodeCredential requires an interactive session ## Not run: # Create credential with default settings cred <- DeviceCodeCredential$new() # Get an access token (will prompt for 'device code' flow) token <- cred$get_token() # Force re-authentication token <- cred$get_token(reauth = TRUE) # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") req <- cred$req_auth(req) ## End(Not run)# DeviceCodeCredential requires an interactive session ## Not run: # Create credential with default settings cred <- DeviceCodeCredential$new() # Get an access token (will prompt for 'device code' flow) token <- cred$get_token() # Force re-authentication token <- cred$get_token(reauth = TRUE) # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") req <- cred$req_auth(req) ## End(Not run)
Creates a function that retrieves authentication tokens and formats them as HTTP Authorization headers. This function handles credential discovery and returns a callable method that generates Bearer token headers when invoked.
get_credential_auth( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )get_credential_auth( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )
scope |
Optional character string specifying the authentication scope. |
tenant_id |
Optional character string specifying the tenant ID for authentication. |
client_id |
Optional character string specifying the client ID for authentication. |
client_secret |
Optional character string specifying the client secret for authentication. |
use_cache |
Character string indicating the caching strategy. Defaults
to |
offline |
Logical. If |
chain |
A list of credential objects, where each element must inherit
from the |
A function that, when called, returns a named list with an
Authorization element containing the Bearer token, suitable for use
with httr2::req_headers().
get_token(), get_request_authorizer(), get_token_provider()
## Not run: # Create an authentication function auth_fn <- get_credential_auth( scope = "https://graph.microsoft.com/.default" ) # Call it to get headers auth_headers <- auth_fn() # Use with httr2 req <- httr2::request("https://graph.microsoft.com/v1.0/me") |> httr2::req_headers(!!!auth_headers) ## End(Not run)## Not run: # Create an authentication function auth_fn <- get_credential_auth( scope = "https://graph.microsoft.com/.default" ) # Call it to get headers auth_headers <- auth_fn() # Use with httr2 req <- httr2::request("https://graph.microsoft.com/v1.0/me") |> httr2::req_headers(!!!auth_headers) ## End(Not run)
Discovers and returns an authenticated credential object from a chain of credential providers. This function attempts each credential in the chain until one successfully authenticates, returning the first successful credential object.
get_credential_provider( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, oauth_host = NULL, oauth_endpoint = NULL, chain = NULL, allow_interactive = rlang::is_interactive(), verbose = opts$get("chain_verbose"), interactive = NULL )get_credential_provider( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, oauth_host = NULL, oauth_endpoint = NULL, chain = NULL, allow_interactive = rlang::is_interactive(), verbose = opts$get("chain_verbose"), interactive = NULL )
scope |
Optional character string specifying the authentication scope. |
tenant_id |
Optional character string specifying the tenant ID for authentication. |
client_id |
Optional character string specifying the client ID for authentication. |
client_secret |
Optional character string specifying the client secret for authentication. |
use_cache |
Character string indicating the caching strategy. Defaults
to |
offline |
Logical. If |
oauth_host |
Optional character string specifying the OAuth host URL. |
oauth_endpoint |
Optional character string specifying the OAuth endpoint. |
chain |
A list of credential objects, where each element must inherit
from the |
allow_interactive |
A logical value indicating whether interactive
credentials are allowed. Defaults to |
verbose |
A logical value indicating whether to print verbose messages
during credential discovery. Defaults to the |
interactive |
Deprecated. Use |
A credential object that inherits from the Credential class and
has successfully authenticated.
get_token_provider(), get_request_authorizer(),
default_credential_chain()
## Not run: # Get a credential provider with default settings cred <- get_credential_provider( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id" ) # Use the credential to get a token token <- cred$get_token() ## End(Not run)## Not run: # Get a credential provider with default settings cred <- get_credential_provider( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id" ) # Use the credential to get a token token <- cred$get_token() ## End(Not run)
Creates a request authorizer function that retrieves authentication credentials and returns a callable request authorization method. This function handles the credential discovery process and returns the request authentication method from the discovered credential object.
get_request_authorizer( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )get_request_authorizer( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )
scope |
Optional character string specifying the authentication scope. |
tenant_id |
Optional character string specifying the tenant ID for authentication. |
client_id |
Optional character string specifying the client ID for authentication. |
client_secret |
Optional character string specifying the client secret for authentication. |
use_cache |
Character string indicating the caching strategy. Defaults
to |
offline |
Logical. If |
chain |
A list of credential objects, where each element must inherit
from the |
A function that authorizes HTTP requests with appropriate credentials when called.
get_token_provider(), get_token()
# In non-interactive sessions, this function will return an error if the # environment is not setup with valid credentials. And in an interactive session # the user will be prompted to attempt one of the interactive authentication flows. ## Not run: req_auth <- get_request_authorizer( scope = "https://graph.microsoft.com/.default" ) req <- req_auth(httr2::request("https://graph.microsoft.com/v1.0/me")) ## End(Not run)# In non-interactive sessions, this function will return an error if the # environment is not setup with valid credentials. And in an interactive session # the user will be prompted to attempt one of the interactive authentication flows. ## Not run: req_auth <- get_request_authorizer( scope = "https://graph.microsoft.com/.default" ) req <- req_auth(httr2::request("https://graph.microsoft.com/v1.0/me")) ## End(Not run)
Retrieves an authentication token using the default token provider. This is a convenience function that combines credential discovery and token acquisition in a single step.
get_token( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )get_token( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )
scope |
Optional character string specifying the authentication scope. |
tenant_id |
Optional character string specifying the tenant ID for authentication. |
client_id |
Optional character string specifying the client ID for authentication. |
client_secret |
Optional character string specifying the client secret for authentication. |
use_cache |
Character string indicating the caching strategy. Defaults
to |
offline |
Logical. If |
chain |
A list of credential objects, where each element must inherit
from the |
An httr2::oauth_token() object.
get_token_provider(), get_request_authorizer()
# In non-interactive sessions, this function will return an error if the # environment is not setup with valid credentials. And in an interactive session # the user will be prompted to attempt one of the interactive authentication flows. ## Not run: token <- get_token( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id", client_id = "my-client-id", client_secret = "my-secret" ) ## End(Not run)# In non-interactive sessions, this function will return an error if the # environment is not setup with valid credentials. And in an interactive session # the user will be prompted to attempt one of the interactive authentication flows. ## Not run: token <- get_token( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id", client_id = "my-client-id", client_secret = "my-secret" ) ## End(Not run)
Creates a token provider function that retrieves authentication credentials and returns a callable token getter. This function handles the credential discovery process and returns the token acquisition method from the discovered credential object.
get_token_provider( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )get_token_provider( scope = NULL, tenant_id = NULL, client_id = NULL, client_secret = NULL, use_cache = "disk", offline = TRUE, chain = default_credential_chain() )
scope |
Optional character string specifying the authentication scope. |
tenant_id |
Optional character string specifying the tenant ID for authentication. |
client_id |
Optional character string specifying the client ID for authentication. |
client_secret |
Optional character string specifying the client secret for authentication. |
use_cache |
Character string indicating the caching strategy. Defaults
to |
offline |
Logical. If |
chain |
A list of credential objects, where each element must inherit
from the |
A function that retrieves and returns an authentication token when called.
get_request_authorizer(), get_token()
# In non-interactive sessions, this function will return an error if the # environment is not set up with valid credentials. In an interactive session # the user will be prompted to attempt one of the interactive authentication flows. ## Not run: token_provider <- get_token_provider( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id", client_id = "my-client-id", client_secret = "my-secret" ) token <- token_provider() ## End(Not run)# In non-interactive sessions, this function will return an error if the # environment is not set up with valid credentials. In an interactive session # the user will be prompted to attempt one of the interactive authentication flows. ## Not run: token_provider <- get_token_provider( scope = "https://graph.microsoft.com/.default", tenant_id = "my-tenant-id", client_id = "my-client-id", client_secret = "my-secret" ) token <- token_provider() ## End(Not run)
Determines whether the current R session is running in a hosted environment such as Google Colab, VS Code, Kubernetes, or RStudio Server (non-localhost).
is_hosted_session()is_hosted_session()
This function checks for (in order):
Option override: if azr.hosted option is set, returns isTRUE() of its value
Google Colab: presence of the COLAB_RELEASE_TAG environment variable
VS Code: presence of the VSCODE_INJECTION or VSCODE_PROXY_URI environment variable
Kubernetes: presence of the KUBERNETES_SERVICE_HOST environment variable
RStudio Server: RSTUDIO_PROGRAM_MODE is "server" and
RSTUDIO_HTTP_REFERER does not contain "localhost"
A logical value: TRUE if running in a hosted session (Google Colab,
VS Code, Kubernetes, or remote RStudio Server), FALSE otherwise.
if (is_hosted_session()) { message("Running in a hosted environment") }if (is_hosted_session()) { message("Running in a hosted environment") }
Authenticates using an Azure managed identity. Supports both system-assigned and user-assigned managed identities. This credential works when code is running inside an Azure environment that has a managed identity configured (e.g., VMs, App Service, Container Instances, AKS pods).
Authentication is performed by querying the Azure Instance Metadata Service
(IMDS) endpoint at http://169.254.169.254/metadata/identity/oauth2/token.
No credentials need to be stored — the identity is granted by the Azure
platform.
To use a system-assigned managed identity, leave client_id as NULL.
To use a user-assigned managed identity, supply its client_id.
This credential fails immediately (2-second timeout) when not running inside Azure, so it is safe to include early in a credential chain.
azr::Credential -> ManagedIdentityCredential
.msi_client_idClient ID for user-assigned managed identity, or
NULL for system-assigned.
new()
Create a new managed identity credential
ManagedIdentityCredential$new(scope = NULL, client_id = NULL)
scopeA character string specifying the OAuth2 scope. Defaults to the Azure Resource Manager scope.
client_idA character string specifying the client ID of a
user-assigned managed identity. Leave NULL (the default) to use the
system-assigned managed identity.
A new ManagedIdentityCredential object
get_token()
Get an access token from the IMDS endpoint
ManagedIdentityCredential$get_token()
Returns a valid in-object cached token immediately if one exists. Otherwise queries the Azure Instance Metadata Service (IMDS) for a new token.
An httr2::oauth_token() object containing the access token
req_auth()
Add managed identity authentication to an httr2 request
ManagedIdentityCredential$req_auth(req)
reqAn httr2::request() object
The request object with a Bearer token authorization header
clone()
The objects of this class are cloneable with this method.
ManagedIdentityCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # System-assigned managed identity (no client_id needed) cred <- ManagedIdentityCredential$new( scope = "https://management.azure.com/.default" ) # User-assigned managed identity cred <- ManagedIdentityCredential$new( scope = "https://management.azure.com/.default", client_id = "your-user-assigned-client-id" ) token <- cred$get_token() ## End(Not run)## Not run: # System-assigned managed identity (no client_id needed) cred <- ManagedIdentityCredential$new( scope = "https://management.azure.com/.default" ) # User-assigned managed identity cred <- ManagedIdentityCredential$new( scope = "https://management.azure.com/.default", client_id = "your-user-assigned-client-id" ) token <- cred$get_token() ## End(Not run)
Splits an Azure Storage URL or Hadoop filesystem path into its constituent parts. Supports all common Azure Storage path formats:
abfss:// / abfs://
Azure Data Lake Storage Gen2 (DFS endpoint), used by Spark / Hadoop.
wasbs:// / wasb://
Legacy Azure Blob filesystem scheme, used by older Spark / Hadoop integrations.
https:// / http://
Standard Azure Blob or DFS REST endpoint, optionally with a SAS token query string.
az:// / azure://
Non-standard aliases used by some Python tools
(e.g. adlfs); parsed using the same [email protected]/path
shape as abfs://.
The format field is inferred from the path on a best-effort basis:
"delta" when the path contains _delta_log; a file extension name
("parquet", "csv", "json", "avro", "orc", "text") when the
last path segment has a recognised extension; "folder" when there is no
extension; and NA for unrecognised extensions.
parse_storage_path(path)parse_storage_path(path)
path |
A character string containing the Azure Storage path to parse. |
An azure_storage_path object (a named list) with the fields:
schemeURL scheme, e.g. "abfss", "wasbs", "https".
storage_accountStorage account name.
endpointStorage endpoint type: "dfs" or "blob".
endpoint_suffixHost suffix after the endpoint label, e.g.
"core.windows.net" (Azure public), "core.usgovcloudapi.net"
(US Government), "core.chinacloudapi.cn" (China), or
"storage.azure.net" (DNS-zone endpoints). Use this to distinguish
sovereign clouds from the public cloud.
containerContainer name. Called "filesystem" in ADLS Gen2 / ABFS contexts; both refer to the same underlying object.
pathPath within the container, without a leading /. Empty
string if the URL points to the container root.
formatInferred dataset or file format (see above).
queryNamed list of query parameters (e.g. a parsed SAS token),
or NULL if none.
originalThe original input string.
parse_storage_path( "abfss://[email protected]/data/sales/2024" ) parse_storage_path( "https://myaccount.blob.core.windows.net/mycontainer/data/events.parquet" ) parse_storage_path( "wasbs://[email protected]/data/delta_table" )parse_storage_path( "abfss://[email protected]/data/sales/2024" ) parse_storage_path( "https://myaccount.blob.core.windows.net/mycontainer/data/events.parquet" ) parse_storage_path( "wasbs://[email protected]/data/delta_table" )
Authenticates using an existing refresh token. This credential is useful when you have obtained a refresh token through another authentication flow and want to use it to get new access tokens without interactive authentication.
The refresh token credential uses the OAuth 2.0 refresh token flow to obtain new access tokens. It requires a valid refresh token that was previously obtained through an interactive flow (e.g., authorization code or device code).
This is particularly useful for:
Non-interactive sessions where you have a pre-obtained refresh token
Long-running applications that need to refresh tokens automatically
Scenarios where you want to avoid repeated interactive authentication
azr::Credential -> RefreshTokenCredential
.refresh_tokenCharacter string containing the refresh token.
new()
Create a new refresh token credential
RefreshTokenCredential$new( refresh_token = default_refresh_token(), scope = NULL, tenant_id = NULL, client_id = NULL )
refresh_tokenA character string containing the refresh token.
Defaults to default_refresh_token() which reads from the
AZURE_REFRESH_TOKEN environment variable.
scopeA character string specifying the OAuth2 scope. Defaults to NULL.
tenant_idA character string specifying the Azure Active Directory
tenant ID. Defaults to NULL.
client_idA character string specifying the application (client) ID.
Defaults to NULL.
A new RefreshTokenCredential object
validate()
Validate the credential configuration
RefreshTokenCredential$validate()
Checks that the refresh token is provided and not NA or NULL. Calls the parent class validation method.
get_token()
Get an access token using the refresh token flow
RefreshTokenCredential$get_token()
An httr2::oauth_token() object containing the access token
req_auth()
Add OAuth refresh token authentication to an httr2 request
RefreshTokenCredential$req_auth(req)
reqAn httr2::request() object
The request object with OAuth refresh token authentication configured
clone()
The objects of this class are cloneable with this method.
RefreshTokenCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # Create credential with a refresh token cred <- RefreshTokenCredential$new( refresh_token = "your-refresh-token", scope = "https://management.azure.com/.default", tenant_id = "your-tenant-id", client_id = "your-client-id" ) # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)## Not run: # Create credential with a refresh token cred <- RefreshTokenCredential$new( refresh_token = "your-refresh-token", scope = "https://management.azure.com/.default", tenant_id = "your-tenant-id", client_id = "your-client-id" ) # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)
Authenticates using Azure Workload Identity by reading a federated token from a file and exchanging it for an Azure AD access token. This is commonly used in Kubernetes environments (AKS) where a service account token is mounted into the pod.
The credential implements the OAuth 2.0 client credentials flow with a JWT
bearer assertion (client_assertion). It reads the federated identity token
from a file on each call to get_token() so that token rotation by the
runtime (e.g., Kubernetes) is automatically picked up.
The following environment variables are used when parameters are not provided:
AZURE_CLIENT_ID: Client (application) ID of the Azure AD application
AZURE_TENANT_ID: Azure AD tenant ID
AZURE_FEDERATED_TOKEN_FILE: Path to the file containing the federated token
azr::Credential -> WorkloadIdentityCredential
.token_file_pathPath to the file containing the federated identity token
new()
Create a new Workload Identity credential
WorkloadIdentityCredential$new( scope = NULL, tenant_id = Sys.getenv(environment_variables$azure_tenant_id, unset = NA_character_), client_id = Sys.getenv(environment_variables$azure_client_id, unset = NA_character_), token_file_path = default_federated_token_file() )
scopeA character string specifying the OAuth2 scope. Defaults to the Azure Resource Manager scope.
tenant_idA character string specifying the Azure AD tenant ID.
Defaults to the AZURE_TENANT_ID environment variable.
client_idA character string specifying the client (application) ID.
Defaults to the AZURE_CLIENT_ID environment variable.
token_file_pathA character string specifying the path to the file
containing the federated identity token. Defaults to the
AZURE_FEDERATED_TOKEN_FILE environment variable.
A new WorkloadIdentityCredential object
validate()
Validate the credential configuration
WorkloadIdentityCredential$validate()
Checks that token_file_path is provided and not NA. Calls the parent
class validation method.
get_token()
Get an access token by exchanging the federated token
WorkloadIdentityCredential$get_token()
Returns a valid in-object cached token immediately if one exists. Otherwise reads the federated token from the file and exchanges it for a new access token so that token rotation performed by the runtime is automatically reflected.
An httr2::oauth_token() object containing the access token
req_auth()
Add authentication to an httr2 request
WorkloadIdentityCredential$req_auth(req)
reqAn httr2::request() object
The request object with a Bearer token authorization header
clone()
The objects of this class are cloneable with this method.
WorkloadIdentityCredential$clone(deep = FALSE)
deepWhether to make a deep clone.
## Not run: # Create credential using environment variables # (requires AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE) cred <- WorkloadIdentityCredential$new( scope = "https://management.azure.com/.default" ) # Or supply parameters directly cred <- WorkloadIdentityCredential$new( tenant_id = "your-tenant-id", client_id = "your-client-id", token_file_path = "/var/run/secrets/azure/tokens/azure-identity-token", scope = "https://management.azure.com/.default" ) # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)## Not run: # Create credential using environment variables # (requires AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE) cred <- WorkloadIdentityCredential$new( scope = "https://management.azure.com/.default" ) # Or supply parameters directly cred <- WorkloadIdentityCredential$new( tenant_id = "your-tenant-id", client_id = "your-client-id", token_file_path = "/var/run/secrets/azure/tokens/azure-identity-token", scope = "https://management.azure.com/.default" ) # Get an access token token <- cred$get_token() # Use with httr2 request req <- httr2::request("https://management.azure.com/subscriptions") resp <- httr2::req_perform(cred$req_auth(req)) ## End(Not run)
Writes an httr2::oauth_token() object into the MSAL token cache JSON file
(msal_token_cache.json) shared by the Azure SDK and Azure CLI. The
resulting entry is readable by other Azure tools (Python SDK, Azure CLI,
and the rest of this package via az_cli_get_cached_token()).
write_msal_token(token, cache_file = default_msal_token_cache())write_msal_token(token, cache_file = default_msal_token_cache())
token |
An |
cache_file |
Path to the MSAL token cache JSON file. Defaults to
|
The function adds or overwrites AccessToken, RefreshToken (when the
token carries a refresh token), Account, and AppMetadata sections.
Existing entries for other accounts or clients are preserved.
The home_account_id follows the MSAL convention
"<object_id>.<tenant_id>" where object_id is the Azure AD OID of the
authenticated principal. Cache entry keys are built in the same format used
by the Azure CLI and MSAL Python:
AccessToken: <home_account_id>-<environment>-accesstoken-<client_id>-<realm>-<target>
RefreshToken: <home_account_id>-<environment>-refreshtoken-<client_id>--
Account: <home_account_id>-<environment>-<realm>
AppMetadata: appmetadata-<environment>-<client_id>
Invisibly returns the path to the cache file.
az_cli_get_cached_token(), httr2::oauth_token()