Agent-Skills.md

Agent Skills: Azure App Configuration SDK for Python

|

UncategorizedID: microsoft/agent-skills/azure-appconfiguration-py

Repository

microsoft/agent-skills
microsoftLicense: MIT
1,866206

Install this agent skill to your local

pnpm dlx add-skill https://github.com/microsoft/skills/tree/HEAD/.github/plugins/azure-sdk-python/skills/azure-appconfiguration-py

Skill Files

Browse the full folder contents for azure-appconfiguration-py.

Download Skill

Loading file tree…

.github/plugins/azure-sdk-python/skills/azure-appconfiguration-py/SKILL.md

Skill Metadata

Name
azure-appconfiguration-py
Description
|

Azure App Configuration SDK for Python

Centralized configuration management with feature flags and dynamic settings.

Installation

pip install azure-appconfiguration

Environment Variables

AZURE_APPCONFIGURATION_ENDPOINT=https://<name>.azconfig.io  # Required for Entra ID auth
AZURE_TOKEN_CREDENTIALS=prod # Required only if DefaultAzureCredential is used in production

Authentication & Lifecycle

πŸ”‘ Two rules apply to every code sample below:

  1. Prefer DefaultAzureCredential. It works locally (Azure CLI / VS Code / Developer CLI) and in Azure (managed identity, workload identity) with no code change. Avoid connection strings, account/API keys β€” they bypass Entra audit and rotation.
    • Local dev: DefaultAzureCredential works as-is.
    • Production: set AZURE_TOKEN_CREDENTIALS=prod (or AZURE_TOKEN_CREDENTIALS=<specific_credential>) to constrain the credential chain to production-safe credentials.
  2. Wrap every client in a context manager so HTTP transports, sockets, and token caches are released deterministically:
    • Sync: with <Client>(...) as client:
    • Async: async with <Client>(...) as client: and async with DefaultAzureCredential() as credential: (from azure.identity.aio)

Snippets may abbreviate this setup, but production code should always follow both rules.

import os
from azure.appconfiguration import AzureAppConfigurationClient
from azure.identity import DefaultAzureCredential, ManagedIdentityCredential

# Local dev: DefaultAzureCredential. Production: set AZURE_TOKEN_CREDENTIALS=prod or AZURE_TOKEN_CREDENTIALS=<specific_credential>
credential = DefaultAzureCredential(require_envvar=True)
# Or use a specific credential directly in production:
# See https://learn.microsoft.com/python/api/overview/azure/identity-readme?view=azure-python#credential-classes
# credential = ManagedIdentityCredential()

with AzureAppConfigurationClient(
    base_url=os.environ["AZURE_APPCONFIGURATION_ENDPOINT"],
    credential=credential
) as client:
    # Use client here (see following sections for operations)
    ...

Configuration Settings

Get Setting

setting = client.get_configuration_setting(key="app:settings:message")
print(f"{setting.key} = {setting.value}")

Get with Label

# Labels allow environment-specific values
setting = client.get_configuration_setting(
    key="app:settings:message",
    label="production"
)

Set Setting

from azure.appconfiguration import ConfigurationSetting

setting = ConfigurationSetting(
    key="app:settings:message",
    value="Hello, World!",
    label="development",
    content_type="text/plain",
    tags={"environment": "dev"}
)

client.set_configuration_setting(setting)

Delete Setting

client.delete_configuration_setting(
    key="app:settings:message",
    label="development"
)

List Settings

All Settings

settings = client.list_configuration_settings()
for setting in settings:
    print(f"{setting.key} [{setting.label}] = {setting.value}")

Filter by Key Prefix

settings = client.list_configuration_settings(
    key_filter="app:settings:*"
)

Filter by Label

settings = client.list_configuration_settings(
    label_filter="production"
)

Feature Flags

Set Feature Flag

from azure.appconfiguration import ConfigurationSetting
import json

feature_flag = ConfigurationSetting(
    key=".appconfig.featureflag/beta-feature",
    value=json.dumps({
        "id": "beta-feature",
        "enabled": True,
        "conditions": {
            "client_filters": []
        }
    }),
    content_type="application/vnd.microsoft.appconfig.ff+json;charset=utf-8"
)

client.set_configuration_setting(feature_flag)

Get Feature Flag

setting = client.get_configuration_setting(
    key=".appconfig.featureflag/beta-feature"
)
flag_data = json.loads(setting.value)
print(f"Feature enabled: {flag_data['enabled']}")

List Feature Flags

flags = client.list_configuration_settings(
    key_filter=".appconfig.featureflag/*"
)
for flag in flags:
    data = json.loads(flag.value)
    print(f"{data['id']}: {'enabled' if data['enabled'] else 'disabled'}")

Read-Only Settings

# Make setting read-only
client.set_read_only(
    configuration_setting=setting,
    read_only=True
)

# Remove read-only
client.set_read_only(
    configuration_setting=setting,
    read_only=False
)

Snapshots

Create Snapshot

from azure.appconfiguration import ConfigurationSnapshot, ConfigurationSettingFilter

snapshot = ConfigurationSnapshot(
    name="v1-snapshot",
    filters=[
        ConfigurationSettingFilter(key="app:*", label="production")
    ]
)

created = client.begin_create_snapshot(
    name="v1-snapshot",
    snapshot=snapshot
).result()

List Snapshot Settings

settings = client.list_configuration_settings(
    snapshot_name="v1-snapshot"
)

Async Client

from azure.appconfiguration.aio import AzureAppConfigurationClient
from azure.identity.aio import DefaultAzureCredential

async def main():
    async with DefaultAzureCredential() as credential:
        async with AzureAppConfigurationClient(
            base_url=endpoint,
            credential=credential
        ) as client:
            setting = await client.get_configuration_setting(key="app:message")
            print(setting.value)

Client Operations

| Operation | Description | |-----------|-------------| | get_configuration_setting | Get single setting | | set_configuration_setting | Create or update setting | | delete_configuration_setting | Delete setting | | list_configuration_settings | List with filters | | set_read_only | Lock/unlock setting | | begin_create_snapshot | Create point-in-time snapshot | | list_snapshots | List all snapshots |

Best Practices

  1. Pick sync OR async and stay consistent. Do not mix azure.xxx sync clients with azure.xxx.aio async clients in the same call path. Choose one mode per module.
  2. Always use context managers for clients and async credentials. Wrap every client in with Client(...) as client: (sync) or async with Client(...) as client: (async). For async DefaultAzureCredential from azure.identity.aio, also use async with credential: so tokens and transports are cleaned up.
  3. Use labels for environment separation (dev, staging, prod)
  4. Use key prefixes for logical grouping (app:database:, app:cache:)
  5. Make production settings read-only to prevent accidental changes
  6. Create snapshots before deployments for rollback capability
  7. Use Entra ID instead of connection strings in production
  8. Refresh settings periodically in long-running applications
  9. Use feature flags for gradual rollouts and A/B testing