Skip to main content

Azure TokenCredential that exchanges a VibeData Studio intent access token (vd_iat_*) at the Studio credential broker for downstream, audience-bound Azure tokens (Fabric SQL/API, OneLake storage, Key Vault, ARM). Works with dbt-fabricspark token_credential auth, dlt destinations, and Key Vault SecretClient.

Project description

vibedata-studio-azure-cred-broker

An Azure TokenCredential that mints downstream Azure / Microsoft Fabric tokens through the VibeData Studio credential broker.

Inside a Studio agent container the backend writes an intent-scoped bearer (vd_iat_*) to a tmpfs file. StudioAzureCredBroker reads that bearer and exchanges it at the broker's POST /token endpoint for a short-lived, audience-bound Azure access token (Fabric SQL, OneLake storage, Key Vault, Fabric API, ARM). The downstream credential is only ever minted by Studio.

Works with anything that speaks the azure-core TokenCredential protocol:

  • dbt-fabricspark (authentication: token_credential)
  • dlt destinations (OneLake / ADLS)
  • Key Vault SecretClient

How it resolves the broker

Pointers come from the environment, both overridable via constructor kwargs:

Env var Kwarg Meaning
VD_CREDENTIAL_BROKER_URL broker_url Broker base URL (e.g. http://host.docker.internal:<port>/api/v1/credential-broker)
VD_CREDENTIAL_FILE credential_file tmpfs path holding the vd_iat_* bearer (/run/vd/credential)

The bearer is re-read on every get_token call (the backend rotates it). Both pointers are required — the credential raises if either is missing.

Scope → audience map

get_token(scope) maps the requested Azure scope to a broker audience:

Azure scope Audience
https://database.windows.net/.default sql
https://storage.azure.com/.default storage
https://vault.azure.net/.default vault
https://api.fabric.microsoft.com/.default fabric_api
https://analysis.windows.net/powerbi/api/.default fabric_cli
https://management.azure.com/.default arm

An unmapped scope raises ScopeNotAllowedError. Override or extend via the audience_map kwarg.

dbt usage (profiles.yml)

my_project:
  outputs:
    ephemeral_dev:
      type: fabricspark
      method: livy
      authentication: token_credential
      credential_class: "vibedata_studio_azure_cred_broker.StudioAzureCredBroker"
      # No credential_kwargs needed — VD_CREDENTIAL_BROKER_URL and VD_CREDENTIAL_FILE
      # are read from the environment injected by Studio.
      endpoint: https://api.fabric.microsoft.com/v1
      workspaceid: "{{ env_var('EPHEMERAL_WORKSPACE_ID') }}"
      lakehouseid: "{{ env_var('EPHEMERAL_LAKEHOUSE_ID') }}"
      lakehouse:   "{{ env_var('EPHEMERAL_LAKEHOUSE_NAME') }}"
      schema:      "{{ env_var('EPHEMERAL_SCHEMA') }}"
  target: ephemeral_dev

dlt / Key Vault usage

from azure.keyvault.secrets import SecretClient
from vibedata_studio_azure_cred_broker import StudioAzureCredBroker

client = SecretClient(vault_url=vault_url, credential=StudioAzureCredBroker())

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

vibedata_studio_azure_cred_broker-0.1.1.tar.gz (4.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

File details

Details for the file vibedata_studio_azure_cred_broker-0.1.1.tar.gz.

File metadata

File hashes

Hashes for vibedata_studio_azure_cred_broker-0.1.1.tar.gz
Algorithm Hash digest
SHA256 56216b5277574b049001b0e22e4c3297b3cb9475724fef95919354936409bd9c
MD5 6162278a6bc42a85cff4cff6756245f5
BLAKE2b-256 dbc53f426eee52f992a2d6c71e334bc5f4cde658bdd4e7a2e7b65fb567542f25

See more details on using hashes here.

File details

Details for the file vibedata_studio_azure_cred_broker-0.1.1-py3-none-any.whl.

File metadata

File hashes

Hashes for vibedata_studio_azure_cred_broker-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 ca20ec59ed5f40cb2f612ebea9a0990e4bbc08cae5bb198f72564ee9e488c2e3
MD5 648f8bc41c3fc5117b772c7327e0b6b2
BLAKE2b-256 dc887fa9054e5595ed5bb56e1f007c2c39d8592572c21dbe1e921e4ddb3d4d00

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page