Crate azure_identity

Expand description

§Azure Identity client library for Rust

The Azure Identity library provides Microsoft Entra ID (formerly Azure Active Directory) authentication support across the Azure SDK.

Source code | Package (crates.io) | API reference documentation | Microsoft Entra ID documentation

§Getting started

§Install the package

Install the Azure Identity library for Rust with cargo:

cargo add azure_identity

§Prerequisites

An Azure subscription.

§Authenticate during local development

The Azure Identity library supports authenticating through developer tools to simplify local development and debugging.

§Authenticate via the Azure CLI

DeveloperToolsCredential and AzureCliCredential can authenticate as the user signed in to the Azure CLI. To log in to the Azure CLI, run az login as described in Azure CLI documentation.

§Authenticate via the Azure Developer CLI

DeveloperToolsCredential and AzureDeveloperCliCredential can authenticate as the user signed in to the Azure Developer CLI. To log in to the Azure Developer CLI, run azd auth login as described in Azure Developer CLI documentation.

§Key concepts

§Credentials

A credential is a struct that can acquire access tokens for Azure resources. The Azure Identity library offers various credentials for use by Azure SDK service clients. See the Credential structures section for a list of this library’s credentials.

§Examples

§Authenticate with `DeveloperToolsCredential`

DeveloperToolsCredential simplifies authentication while developing apps. It attempts to authenticate via a series of developer tools such as the Azure CLI, stopping when one succeeds. After receiving a token from a particular tool, it uses that tool for all subsequent token requests. See the type’s reference documentation for more details.

This example demonstrates authenticating the SecretClient from the azure_security_keyvault_secrets crate using DeveloperToolsCredential.

use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_secrets::SecretClient;

let credential = DeveloperToolsCredential::new(None)?;
let client = SecretClient::new("https://TODO.vault.azure.net/", credential.clone(), None)?;

§Authenticating with a Federated Identity Credential (FIC)

This example demonstrates how to authenticate an Entra application with an access token from a managed identity. See Configure an application to trust a managed identity for more information about this scenario. This example shows a Key Vault client, however the same approach can work with any Azure SDK client that uses a TokenCredential.

use azure_core::credentials::TokenCredential;
use azure_core::http::ClientMethodOptions;
use azure_identity::{ClientAssertion, ClientAssertionCredential, ManagedIdentityCredential};
use azure_security_keyvault_secrets::SecretClient;
use std::sync::Arc;

#[derive(Debug)]
struct AccessTokenAssertion {
    credential: Arc<dyn TokenCredential>,
}

#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
impl ClientAssertion for AccessTokenAssertion {
    async fn secret(&self, _: Option<ClientMethodOptions<'_>>) -> azure_core::Result<String> {
        Ok(self
            .credential
            .get_token(&[&"api://AzureADTokenExchange/.default"], None)
            .await?
            .token
            .secret()
            .to_string())
    }
}

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let assertion = AccessTokenAssertion {
        credential: ManagedIdentityCredential::new(None)?,
    };

    // this credential exchanges the managed identity's tokens for the specified Entra application's tokens
    let credential = ClientAssertionCredential::new(
        String::from("tenant ID"),
        String::from("client ID"),
        assertion,
        None,
    )?;

    let _client = SecretClient::new("https://TODO.vault.azure.net/", credential.clone(), None)?;

    Ok(())
}

§Credential structures

§Developer tools

Credential	Usage
`AzureCliCredential`	Authenticate with Azure CLI.
`AzureDeveloperCliCredential`	Authenticate with Azure Developer CLI.
`DeveloperToolsCredential`	Simplified authentication for application development.

§Azure-hosted applications

Credential	Usage
`ManagedIdentityCredential`	Authenticate the managed identity of an Azure resource.
`WorkloadIdentityCredential`	Supports Workload Identity on Kubernetes.

§Service principals

See Service principal authentication for general information about service principals.

Credential	Usage
`AzurePipelinesCredential`	Authenticate an Azure Pipelines service connection.
`ClientAssertionCredential`	Authenticate a service principal with client assertions.
`ClientCertificateCredential`	Authenticate a service principal with a certificate.
`ClientSecretCredential`	Authenticate a service principal with a secret.

§Next steps

§Client library support

Client and management libraries listed on the Azure SDK release page that support Microsoft Entra authentication accept credentials from this library. You can learn more about using these libraries in their documentation, which is available at Docs.rs.

§Provide feedback

If you encounter bugs or have suggestions, open an issue.

§Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You’ll only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Structs§

AzureCliCredentialNon-WebAssembly: Authenticates the identity logged in to the Azure CLI.
AzureCliCredentialOptionsNon-WebAssembly: Options for constructing an AzureCliCredential.
AzureDeveloperCliCredentialNon-WebAssembly: Authenticates the identity logged in to the Azure Developer CLI.
AzureDeveloperCliCredentialOptionsNon-WebAssembly: Options for constructing an AzureDeveloperCliCredential.
AzurePipelinesCredential: Authenticates an Azure Pipelines service connection.
AzurePipelinesCredentialOptions: Options for constructing a new AzurePipelinesCredential.
ClientAssertionCredential: Authenticates an application with client assertions.
ClientAssertionCredentialOptions: Options for constructing a new ClientAssertionCredential.
ClientCertificateCredentialclient_certificate: Authenticates an application with a certificate.
ClientCertificateCredentialOptionsclient_certificate: Options for constructing a new ClientCertificateCredential.
ClientSecretCredential: Authenticates an application with a client secret.
ClientSecretCredentialOptions: Options for constructing a new ClientSecretCredential.
DeveloperToolsCredentialNon-WebAssembly: Authenticates through developer tools such as the Azure CLI.
DeveloperToolsCredentialOptionsNon-WebAssembly: Options for constructing a new DeveloperToolsCredential
ManagedIdentityCredential: Authenticates a managed identity from Azure App Service or an Azure Virtual Machine.
ManagedIdentityCredentialOptions: Options for constructing a new ManagedIdentityCredential.
WorkloadIdentityCredential: Authenticates an Entra Workload Identity on Kubernetes.
WorkloadIdentityCredentialOptions: Options for constructing a new WorkloadIdentityCredential.

Enums§

UserAssignedId: Identifies a specific user-assigned identity for ManagedIdentityCredential to authenticate.

Traits§

ClientAssertion: Represents an entity capable of supplying a client assertion.
ExecutorNon-WebAssembly: An async command runner.

Functions§

new_executorNon-WebAssembly: Creates a new Executor.