Skip to main content

Microsoft Entra ID

Use Microsoft Entra ID when you do not want to use account keys.

This SDK supports token-based authentication via TokenCredential implementations such as DefaultAzureCredential, ClientSecretCredential, ClientCertificateCredential and WorkloadIdentityCredential.

Prerequisites

Your identity must have Azure RBAC permissions on the storage account (or narrower scope). Common roles:

  • Storage Queue Data Contributor (read/write)
  • Storage Queue Data Reader (read-only)

Quickstart

DefaultAzureCredential is the easiest default option.

<?php

use AzureOss\Identity\DefaultAzureCredential;
use AzureOss\\Storage\\Queue\\QueueServiceClient;
use GuzzleHttp\Psr7\Uri;

$credential = new DefaultAzureCredential();

$endpoint = new Uri('https://'.getenv('AZURE_STORAGE_ACCOUNT_NAME').'.queue.core.windows.net/');
$service = new QueueServiceClient($endpoint, $credential);

Credentials

DefaultAzureCredential

DefaultAzureCredential tries these sources in this order and uses the first one that can get a token:

  1. Environment-based service principal settings: AZURE_TENANT_ID, AZURE_CLIENT_ID, and either AZURE_CLIENT_SECRET or AZURE_CLIENT_CERTIFICATE_PATH (optional: AZURE_CLIENT_CERTIFICATE_PASSWORD)
  2. Workload identity
  3. Managed identity (experimental)

Example:

<?php

use AzureOss\Identity\DefaultAzureCredential;
use AzureOss\\Storage\\Queue\\QueueServiceClient;
use GuzzleHttp\Psr7\Uri;

$credential = new DefaultAzureCredential();

$endpoint = new Uri('https://'.getenv('AZURE_STORAGE_ACCOUNT_NAME').'.queue.core.windows.net/');
$service = new QueueServiceClient($endpoint, $credential);

Service principal

If you set the environment variables listed above, DefaultAzureCredential automatically authenticates using them.

If you prefer to be explicit, use ClientSecretCredential:

<?php

use AzureOss\Identity\ClientSecretCredential;
use AzureOss\\Storage\\Queue\\QueueServiceClient;
use GuzzleHttp\Psr7\Uri;

$credential = new ClientSecretCredential(
    tenantId: getenv('AZURE_TENANT_ID'),
    clientId: getenv('AZURE_CLIENT_ID'),
    clientSecret: getenv('AZURE_CLIENT_SECRET'),
);

$endpoint = new Uri('https://'.getenv('AZURE_STORAGE_ACCOUNT_NAME').'.queue.core.windows.net/');
$service = new QueueServiceClient($endpoint, $credential);

If you use certificate authentication, use ClientCertificateCredential:

<?php

use AzureOss\Identity\ClientCertificateCredential;
use AzureOss\\Storage\\Queue\\QueueServiceClient;
use GuzzleHttp\Psr7\Uri;

$credential = new ClientCertificateCredential(
    tenantId: getenv('AZURE_TENANT_ID'),
    clientId: getenv('AZURE_CLIENT_ID'),
    clientCertificatePath: getenv('AZURE_CLIENT_CERTIFICATE_PATH'),
    clientCertificatePassword: getenv('AZURE_CLIENT_CERTIFICATE_PASSWORD') ?: null,
);

$endpoint = new Uri('https://'.getenv('AZURE_STORAGE_ACCOUNT_NAME').'.queue.core.windows.net/');
$service = new QueueServiceClient($endpoint, $credential);

Workload identity (federated credentials)

For Kubernetes or other OIDC-based federation scenarios, use WorkloadIdentityCredential.

Typical configuration uses:

  • AZURE_TENANT_ID
  • AZURE_CLIENT_ID
  • AZURE_FEDERATED_TOKEN_FILE

Example:

<?php

use AzureOss\Identity\WorkloadIdentityCredential;
use AzureOss\\Storage\\Queue\\QueueServiceClient;
use GuzzleHttp\Psr7\Uri;

$credential = new WorkloadIdentityCredential();

$endpoint = new Uri('https://'.getenv('AZURE_STORAGE_ACCOUNT_NAME').'.queue.core.windows.net/');
$service = new QueueServiceClient($endpoint, $credential);

Managed identity (experimental)

Experimental

ManagedIdentityCredential is experimental. This credential can be difficult to test reliably because most managed identity endpoints are only available from within the corresponding Azure runtime (IMDS, App Service/Functions, Arc, etc.). If you try this in a real environment and it works (or fails), please let us know which environment you used and any relevant HTTP status/error details.

Example:

<?php

use AzureOss\Identity\ManagedIdentityCredential;
use AzureOss\\Storage\\Queue\\QueueServiceClient;
use GuzzleHttp\Psr7\Uri;

$credential = new ManagedIdentityCredential();

$endpoint = new Uri('https://'.getenv('AZURE_STORAGE_ACCOUNT_NAME').'.queue.core.windows.net/');
$service = new QueueServiceClient($endpoint, $credential);

Notes

  • Token-based credentials cannot sign SAS tokens. For SAS-based workflows, use access keys (shared key) to create SAS tokens outside this SDK.