Authentication & Permissions - Azure Credentials for lazyaz
Credential chain
Section titled “Credential chain”lazyaz authenticates using Azure’s DefaultAzureCredential
chain. The Azure SDK tries credentials in this order: environment variables,
workload identity, managed identity, the Azure CLI, then the Azure Developer
CLI — stopping at the first one that yields a token.
For local development you’ll almost always be using az login. If you can
run az account show and see your subscription, you’re good to go.
lazyaz also passes AdditionallyAllowedTenants: ["*"] so cached tokens can
be reissued for any tenant your identity has access to — that’s what lets
multi-tenant switching work without re-running
az login.
How access works
Section titled “How access works”Resource discovery (listing subscriptions, storage accounts, namespaces,
vaults) uses ARM APIs. For data-plane calls, lazyaz tries Azure AD first
and only falls back to shared keys (fetched via ARM ListKeys) when AAD
returns a specific data-plane auth error — similar to how Azure Storage
Explorer behaves. If your account has shared-key access disabled, the AAD
path must succeed; otherwise lazyaz will surface the auth error.
Permissions
Section titled “Permissions”A Contributor role on the relevant resource groups generally covers Blob
Storage and Service Bus. Key Vault uses separate role assignments per
object kind.
| Service | What it needs | Why |
|---|---|---|
| Browsing (all) | Reader | List subscriptions, accounts, namespaces, vaults via ARM |
| Blob Storage | Contributor or Storage Account Key Operator (for shared-key fallback); or Storage Blob Data Reader/Contributor (AAD-only accounts) | Read containers, list/download blobs |
| Service Bus | Contributor (or any role that can ListKeys the namespace authorization rules); cross-namespace move targets need Azure Service Bus Data Sender on the target | Read/peek messages; Send claim is AAD-only for cross-namespace moves |
| Key Vault — Secrets | Vault access policy or Key Vault Secrets User | Read secret values |
| Key Vault — Certificates | Vault access policy or Key Vault Certificates User | Import and list certificates |
| Key Vault — Keys | Vault access policy or Key Vault Crypto User | List and inspect keys |