Azure TokenCredential that exchanges a VibeData Studio intent access token (vd_iat_*) at the Studio credential broker for downstream, audience-bound Azure tokens (Fabric SQL/API, OneLake storage, Key Vault, ARM). Works with dbt-fabricspark token_credential auth, dlt destinations, and Key Vault SecretClient.
Project description
vibedata-studio-azure-cred-broker
An Azure TokenCredential
that mints downstream Azure / Microsoft Fabric tokens through the VibeData Studio
credential broker.
Inside a Studio agent container the backend writes an intent-scoped bearer
(vd_iat_*) to a tmpfs file. StudioAzureCredBroker reads that bearer and
exchanges it at the broker's POST /token endpoint for a short-lived,
audience-bound Azure access token (Fabric SQL, OneLake storage, Key Vault,
Fabric API, ARM). The downstream credential is only ever minted by Studio.
Works with anything that speaks the azure-core TokenCredential protocol:
- dbt-fabricspark (
authentication: token_credential) - dlt destinations (OneLake / ADLS)
- Key Vault
SecretClient
How it resolves the broker
Pointers come from the environment, both overridable via constructor kwargs:
| Env var | Kwarg | Meaning |
|---|---|---|
VD_CREDENTIAL_BROKER_URL |
broker_url |
Broker base URL (e.g. http://host.docker.internal:<port>/api/v1/credential-broker) |
VD_CREDENTIAL_FILE |
credential_file |
tmpfs path holding the vd_iat_* bearer (/run/vd/credential) |
The bearer is re-read on every get_token call (the backend rotates it).
Both pointers are required — the credential raises if either is missing.
Scope → audience map
get_token(scope) maps the requested Azure scope to a broker audience:
| Azure scope | Audience |
|---|---|
https://database.windows.net/.default |
sql |
https://storage.azure.com/.default |
storage |
https://vault.azure.net/.default |
vault |
https://api.fabric.microsoft.com/.default |
fabric_api |
https://analysis.windows.net/powerbi/api/.default |
fabric_cli |
https://management.azure.com/.default |
arm |
An unmapped scope raises ScopeNotAllowedError. Override or extend via the
audience_map kwarg.
dbt usage (profiles.yml)
my_project:
outputs:
ephemeral_dev:
type: fabricspark
method: livy
authentication: token_credential
credential_class: "vibedata_studio_azure_cred_broker.StudioAzureCredBroker"
# No credential_kwargs needed — VD_CREDENTIAL_BROKER_URL and VD_CREDENTIAL_FILE
# are read from the environment injected by Studio.
endpoint: https://api.fabric.microsoft.com/v1
workspaceid: "{{ env_var('EPHEMERAL_WORKSPACE_ID') }}"
lakehouseid: "{{ env_var('EPHEMERAL_LAKEHOUSE_ID') }}"
lakehouse: "{{ env_var('EPHEMERAL_LAKEHOUSE_NAME') }}"
schema: "{{ env_var('EPHEMERAL_SCHEMA') }}"
target: ephemeral_dev
dlt / Key Vault usage
from azure.keyvault.secrets import SecretClient
from vibedata_studio_azure_cred_broker import StudioAzureCredBroker
client = SecretClient(vault_url=vault_url, credential=StudioAzureCredBroker())
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file vibedata_studio_azure_cred_broker-0.1.1.tar.gz.
File metadata
- Download URL: vibedata_studio_azure_cred_broker-0.1.1.tar.gz
- Upload date:
- Size: 4.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
56216b5277574b049001b0e22e4c3297b3cb9475724fef95919354936409bd9c
|
|
| MD5 |
6162278a6bc42a85cff4cff6756245f5
|
|
| BLAKE2b-256 |
dbc53f426eee52f992a2d6c71e334bc5f4cde658bdd4e7a2e7b65fb567542f25
|
File details
Details for the file vibedata_studio_azure_cred_broker-0.1.1-py3-none-any.whl.
File metadata
- Download URL: vibedata_studio_azure_cred_broker-0.1.1-py3-none-any.whl
- Upload date:
- Size: 4.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.15
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ca20ec59ed5f40cb2f612ebea9a0990e4bbc08cae5bb198f72564ee9e488c2e3
|
|
| MD5 |
648f8bc41c3fc5117b772c7327e0b6b2
|
|
| BLAKE2b-256 |
dc887fa9054e5595ed5bb56e1f007c2c39d8592572c21dbe1e921e4ddb3d4d00
|