Skip to main content

Azure TokenCredential that exchanges a VibeData Studio intent access token (vd_iat_*) at the Studio credential broker for downstream, audience-bound Azure tokens (Fabric SQL/API, OneLake storage, Key Vault, ARM). Works with dbt-fabricspark token_credential auth, dlt destinations, and Key Vault SecretClient.

Project description

vibedata-studio-azure-cred-broker

An Azure TokenCredential that mints downstream Azure / Microsoft Fabric tokens through the VibeData Studio credential broker.

Inside a Studio agent container the backend writes an intent-scoped bearer (vd_iat_*) to a tmpfs file. StudioAzureCredBroker reads that bearer and exchanges it at the broker's POST /token endpoint for a short-lived, audience-bound Azure access token (Fabric SQL, OneLake storage, Key Vault, Fabric API, ARM). The downstream credential is only ever minted by Studio.

Works with anything that speaks the azure-core TokenCredential protocol:

  • dbt-fabricspark (authentication: token_credential)
  • dlt destinations (OneLake / ADLS)
  • Key Vault SecretClient

How it resolves the broker

Pointers come from the environment, both overridable via constructor kwargs:

Env var Kwarg Meaning
VD_AZ_TOKEN_URL broker_url Broker base URL (e.g. http://host.docker.internal:<port>/api/v1/credential-broker)
VD_CREDENTIAL_FILE credential_file tmpfs path holding the vd_iat_* bearer (/run/vd/credential)

The bearer is re-read on every get_token call (the backend rotates it). Both pointers are required — the credential raises if either is missing.

Scope → audience map

get_token(scope) maps the requested Azure scope to a broker audience:

Azure scope Audience
https://database.windows.net/.default sql
https://storage.azure.com/.default storage
https://vault.azure.net/.default vault
https://api.fabric.microsoft.com/.default fabric_api
https://analysis.windows.net/powerbi/api/.default fabric_cli
https://management.azure.com/.default arm

An unmapped scope raises ScopeNotAllowedError. Override or extend via the audience_map kwarg.

dbt usage (profiles.yml)

my_project:
  outputs:
    ephemeral_dev:
      type: fabricspark
      method: livy
      authentication: token_credential
      credential_class: "vibedata_studio_azure_cred_broker.StudioAzureCredBroker"
      # No credential_kwargs needed — VD_AZ_TOKEN_URL and VD_CREDENTIAL_FILE
      # are read from the environment injected by Studio.
      endpoint: https://api.fabric.microsoft.com/v1
      workspaceid: "{{ env_var('EPHEMERAL_WORKSPACE_ID') }}"
      lakehouseid: "{{ env_var('EPHEMERAL_LAKEHOUSE_ID') }}"
      lakehouse:   "{{ env_var('EPHEMERAL_LAKEHOUSE_NAME') }}"
      schema:      "{{ env_var('EPHEMERAL_SCHEMA') }}"
  target: ephemeral_dev

dlt / Key Vault usage

from azure.keyvault.secrets import SecretClient
from vibedata_studio_azure_cred_broker import StudioAzureCredBroker

client = SecretClient(vault_url=vault_url, credential=StudioAzureCredBroker())

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vibedata_studio_azure_cred_broker-0.1.0.tar.gz (4.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file vibedata_studio_azure_cred_broker-0.1.0.tar.gz.

File metadata

File hashes

Hashes for vibedata_studio_azure_cred_broker-0.1.0.tar.gz
Algorithm Hash digest
SHA256 34c4d26477fecc4ea5f640a19448876dece35be23dc79f1eb7044caccd36750a
MD5 1345cc41963ed1de9733e4cc3a0f3697
BLAKE2b-256 7a92ac76fca31f3b6381f058de136d437865b538654a36507b83ee3ed3a9f048

See more details on using hashes here.

File details

Details for the file vibedata_studio_azure_cred_broker-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for vibedata_studio_azure_cred_broker-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 eb0d5918ec11d05b1ad74b65cb81fd0db8548440d7048d88b6c6cf53721f0f22
MD5 7d9c3a281d672fb41c18ada52d8edf38
BLAKE2b-256 8c9570ff120bc5395dbdbf07d38556e116eda9acc03213b4682dd28889b439d0

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page