Crate azure_identity

Expand description

§Azure Identity client library for Rust

The Azure Identity library provides Microsoft Entra ID (formerly Azure Active Directory) token authentication support across the Azure SDK. It provides a set of TokenCredential implementations that can be used to construct Azure SDK clients that support Microsoft Entra token authentication.

Source code | Package (crates.io) | API reference documentation | Microsoft Entra ID documentation

§Getting started

§Install the package

Install the Azure Identity library for Rust with cargo:

cargo add azure_identity

§Prerequisites

An Azure subscription.
The Azure CLI can also be useful for authenticating in a development environment, creating accounts, and managing account roles.

§Authenticate during local development

When debugging and executing code locally, it’s typical for developers to use their own accounts for authenticating calls to Azure services. The Azure Identity library supports authenticating through developer tools to simplify local development.

§Authenticate via the Azure CLI

DefaultAzureCredential and AzureCliCredential can authenticate as the user signed in to the Azure CLI. To sign in to the Azure CLI, run az login. On a system with a default web browser, the Azure CLI launches the browser to authenticate a user.

When no default browser is available, az login uses the device code authentication flow. This flow can also be selected manually by running az login --use-device-code.

§Key concepts

§Credentials

A credential is a class that contains or can obtain the data needed for a service client to authenticate requests. Service clients across the Azure SDK accept a credential instance when they’re constructed, and use that credential to authenticate requests.

The Azure Identity library focuses on OAuth authentication with Microsoft Entra ID. It offers various credential classes capable of acquiring a Microsoft Entra access token. See the Credential classes section for a list of this library’s credential classes.

§DefaultAzureCredential

DefaultAzureCredential simplifies authentication while developing apps that deploy to Azure by combining credentials used in Azure hosting environments with credentials used in local development.

§Continuation policy

DefaultAzureCredential attempts to authenticate with all developer credentials until one succeeds, regardless of any errors previous developer credentials experienced. For example, a developer credential may attempt to get a token and fail, so DefaultAzureCredential will continue to the next credential in the flow. Deployed service credentials stop the flow with a thrown exception if they’re able to attempt token retrieval, but don’t receive one.

This allows for trying all of the developer credentials on your machine while having predictable deployed behavior.

§Examples

The following examples are provided:

Authenticate with DefaultAzureCredential

§Authenticate with `DefaultAzureCredential`

More details on configuring your environment to use DefaultAzureCredential can be found in the class’s reference documentation.

This example demonstrates authenticating the SecretClient from the azure_security_keyvault_secrets crate using DefaultAzureCredential.

use azure_identity::DefaultAzureCredential;
use azure_security_keyvault_secrets::SecretClient;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let credential = DefaultAzureCredential::new()?;
    let client = SecretClient::new("https://your-key-vault-name.vault.azure.net/", credential.clone(), None)?;
    Ok(())
}

§Authenticate with `ClientAssertionCredential`

This example demonstrates how to use the ClientAssertionCredential in conjunction with VirtualMachineManagedIdentityCredential in order to retrieve an access token as an app registration that a virtual machine identity has been federated for, which can be used in “service to service” authentication flows. For more details on this scenario see Configure an application to trust a managed identity

use azure_core::credentials::{AccessToken, TokenCredential};
use azure_identity::{ClientAssertion, ClientAssertionCredential, TokenCredentialOptions, ManagedIdentityCredential};
use std::sync::Arc;

#[derive(Debug)]
struct VmClientAssertion {
    credential: Arc<dyn TokenCredential>,
    scope: String,
}

#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
impl ClientAssertion for VmClientAssertion {
    async fn secret(&self) -> azure_core::Result<String> {
        Ok(self
            .credential
            .get_token(&[&self.scope])
            .await?
            .token
            .secret()
            .to_string())
    }
}

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
        let assertion = VmClientAssertion {
        credential: ManagedIdentityCredential::new(None)?,
        scope: String::from("api://AzureADTokenExchange/.default"),
    };

    let client_assertion_credential = ClientAssertionCredential::new(
        String::from("guid-for-aad-tenant-id"),
        String::from("guid-for-app-id-of-client-app-registration"),
        assertion,
        None,
    )?;

    let fic_scope = String::from("your-service-app.com/scope");
    let fic_token = client_assertion_credential.get_token(&[&fic_scope]).await?;
    Ok(())
}

§Credential classes

§Credential chains

Credential	Usage
`DefaultAzureCredential`	Provides a simplified authentication experience to quickly start developing applications run in Azure.

§Authenticate Azure-hosted applications

Credential	Usage
`WorkloadIdentityCredential`	Supports Microsoft Entra Workload ID on Kubernetes.

§Authenticate service principals

Credential	Usage	Reference
`ClientCertificateCredential`	Authenticates a service principal using a certificate.	Service principal authentication

§Authenticate via development tools

Credential	Usage	Reference
`AzureCliCredential`	Authenticates in a development environment with the Azure CLI.	Azure CLI authentication

§Next steps

§Client library support

Client and management libraries listed on the Azure SDK release pagethat support Microsoft Entra authentication accept credentials from this library. You can learn more about using these libraries in their documentation, which is available at Docs.rs.

§Provide feedback

If you encounter bugs or have suggestions, open an issue.

§Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You’ll only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Structs§

AzureCliCredentialNon-WebAssembly: Enables authentication to Azure Active Directory using Azure CLI to obtain an access token.
AzureCliCredentialOptionsNon-WebAssembly: Options for constructing an AzureCliCredential.
AzurePipelinesCredential
AzurePipelinesCredentialOptions: Options for constructing a new AzurePipelinesCredential.
ClientAssertionCredential: Enables authentication of a Microsoft Entra service principal using a signed client assertion.
ClientAssertionCredentialOptions: Options for constructing a new ClientAssertionCredential.
ClientCertificateCredentialclient_certificate: Enables authentication to Azure Active Directory using a client certificate that was generated for an App Registration.
ClientCertificateCredentialOptionsclient_certificate: Provides options to configure how the Identity library makes authentication requests to Azure Active Directory.
ClientSecretCredential: Authenticates an application with a client secret.
ClientSecretCredentialOptions: Options for constructing a new ClientSecretCredential.
DefaultAzureCredential: Provides a default TokenCredential authentication flow for applications that will be deployed to Azure.
DefaultAzureCredentialBuilder: Provides a mechanism of selectively disabling credentials used for a DefaultAzureCredential instance
ManagedIdentityCredential: Authenticates a managed identity from Azure App Service or an Azure Virtual Machine.
ManagedIdentityCredentialOptions: Options for constructing a new ManagedIdentityCredential.
TokenCredentialOptions: Provides options to configure how the Identity library makes authentication requests to Azure Active Directory.
WorkloadIdentityCredential: Enables authentication to Azure Active Directory using a client secret that was generated for an App Registration.
WorkloadIdentityCredentialOptions: Options for constructing a new WorkloadIdentityCredential.

Enums§

UserAssignedId: Identifies a specific user-assigned identity for ManagedIdentityCredential to authenticate.

Traits§

ClientAssertion: Represents an entity capable of supplying a client assertion.

Crate azure_identityCopy item path