Expand description
§Azure Identity client library for Rust
The Azure Identity library provides Microsoft Entra ID (formerly Azure Active Directory) token authentication support across the Azure SDK. It provides a set of TokenCredential implementations that can be used to construct Azure SDK clients that support Microsoft Entra token authentication.
Source code | Package (crates.io) | API reference documentation | Microsoft Entra ID documentation
§Getting started
§Install the package
Install the Azure Identity library for Rust with cargo:
cargo add azure_identity§Prerequisites
- An Azure subscription.
- The Azure CLI can also be useful for authenticating in a development environment, creating accounts, and managing account roles.
§Authenticate during local development
When debugging and executing code locally, it’s typical for developers to use their own accounts for authenticating calls to Azure services. The Azure Identity library supports authenticating through developer tools to simplify local development.
§Authenticate via the Azure CLI
DeveloperToolsCredential and AzureCliCredential can authenticate as the user signed in to the Azure CLI. To sign in to the Azure CLI, run az login. On a system with a default web browser, the Azure CLI launches the browser to authenticate a user.
When no default browser is available, az login uses the device code authentication flow. This flow can also be selected manually by running az login --use-device-code.
§Key concepts
§Credentials
A credential is a struct that contains or can obtain the data needed for a service client to authenticate requests. Service clients across the Azure SDK accept a credential instance when they’re constructed, and use that credential to authenticate requests.
The Azure Identity library focuses on OAuth authentication with Microsoft Entra ID. It offers various credentials capable of acquiring a Microsoft Entra access token. See the Credential structures section for a list of this library’s credentials.
§Examples
§Authenticate with DeveloperToolsCredential
DeveloperToolsCredential simplifies authentication while developing apps. It attempts to authenticate via developer tools such as the Azure CLI, stopping when one succeeds. After receiving a token from a particular tool, it uses that tool for all subsequent token requests. See the type’s reference documentation for more details.
This example demonstrates authenticating the SecretClient from the azure_security_keyvault_secrets crate using DeveloperToolsCredential.
use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_secrets::SecretClient;
fn main() -> Result<(), Box<dyn std::error::Error>> {
let credential = DeveloperToolsCredential::new(None)?;
let client = SecretClient::new("https://your-key-vault-name.vault.azure.net/", credential.clone(), None)?;
Ok(())
}§Authenticate with ClientAssertionCredential
This example demonstrates how to use the ClientAssertionCredential in conjunction with VirtualMachineManagedIdentityCredential in order to retrieve an access token as an app registration
that a virtual machine identity has been federated for, which can be used in “service to service”
authentication flows. For more details on this scenario see Configure an application to trust a managed identity
use azure_core::credentials::{AccessToken, TokenCredential};
use azure_core::http::ClientMethodOptions;
use azure_identity::{ClientAssertion, ClientAssertionCredential, ManagedIdentityCredential};
use std::sync::Arc;
#[derive(Debug)]
struct VmClientAssertion {
credential: Arc<dyn TokenCredential>,
scope: String,
}
#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
impl ClientAssertion for VmClientAssertion {
async fn secret(&self, _: Option<ClientMethodOptions<'_>>) -> azure_core::Result<String> {
Ok(self
.credential
.get_token(&[&self.scope], None)
.await?
.token
.secret()
.to_string())
}
}
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let assertion = VmClientAssertion {
credential: ManagedIdentityCredential::new(None)?,
scope: String::from("api://AzureADTokenExchange/.default"),
};
let client_assertion_credential = ClientAssertionCredential::new(
String::from("guid-for-aad-tenant-id"),
String::from("guid-for-app-id-of-client-app-registration"),
assertion,
None,
)?;
let fic_scope = String::from("your-service-app.com/scope");
let fic_token = client_assertion_credential.get_token(&[&fic_scope], None).await?;
Ok(())
}
§Credential structures
§Credential chains
| Credential | Usage |
|---|---|
DeveloperToolsCredential | Provides a simplified authentication experience to quickly start developing applications. |
§Authenticate Azure-hosted applications
| Credential | Usage |
|---|---|
ManagedIdentityCredential | Authenticates the managed identity of an Azure resource. |
WorkloadIdentityCredential | Supports Microsoft Entra Workload ID on Kubernetes. |
§Authenticate service principals
| Credential | Usage | Reference |
|---|---|---|
AzurePipelinesCredential | Supports Microsoft Entra Workload ID on Azure Pipelines. | |
ClientAssertionCredential | Authenticates a service principal using a signed client assertion. | Service principal authentication |
ClientCertificateCredential | Authenticates a service principal using a certificate. | Service principal authentication |
ClientSecretCredential | Authenticates a service principal using a secret. | Service principal authentication |
§Authenticate via development tools
| Credential | Usage | Reference |
|---|---|---|
AzureCliCredential | Authenticates in a development environment with the Azure CLI. | Azure CLI authentication |
AzureDeveloperCliCredential | Authenticates in a development environment with the Azure Developer CLI. | Azure Developer CLI reference |
§Next steps
§Client library support
Client and management libraries listed on the Azure SDK release pagethat support Microsoft Entra authentication accept credentials from this library. You can learn more about using these libraries in their documentation, which is available at Docs.rs.
§Provide feedback
If you encounter bugs or have suggestions, open an issue.
§Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You’ll only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Structs§
- Azure
CliCredential Non-WebAssembly - Authenticates the identity logged in to the Azure CLI.
- Azure
CliCredential Options Non-WebAssembly - Options for constructing an
AzureCliCredential. - Azure
Developer CliCredential Non-WebAssembly - Authenticates the identity logged in to the Azure Developer CLI.
- Azure
Developer CliCredential Options Non-WebAssembly - Options for constructing an
AzureDeveloperCliCredential. - Azure
Pipelines Credential - Enables authentication to Entra ID from Azure Pipelines.
- Azure
Pipelines Credential Options - Options for constructing a new
AzurePipelinesCredential. - Client
Assertion Credential - Enables authentication of a Microsoft Entra service principal using a signed client assertion.
- Client
Assertion Credential Options - Options for constructing a new
ClientAssertionCredential. - Client
Certificate Credential client_certificate - Enables authentication to Azure Active Directory using a client certificate that was generated for an App Registration.
- Client
Certificate Credential Options client_certificate - Provides options to configure how the Identity library makes authentication requests to Azure Active Directory.
- Client
Secret Credential - Authenticates an application with a client secret.
- Client
Secret Credential Options - Options for constructing a new
ClientSecretCredential. - Developer
Tools Credential Non-WebAssembly - Authenticates through developer tools such as the Azure CLI.
- Developer
Tools Credential Options Non-WebAssembly - Options for constructing a new
DeveloperToolsCredential - Managed
Identity Credential - Authenticates a managed identity from Azure App Service or an Azure Virtual Machine.
- Managed
Identity Credential Options - Options for constructing a new
ManagedIdentityCredential. - Workload
Identity Credential WorkloadIdentityCredentialsupports Azure workload identity on Kubernetes.- Workload
Identity Credential Options - Options for constructing a new
WorkloadIdentityCredential.
Enums§
- User
Assigned Id - Identifies a specific user-assigned identity for
ManagedIdentityCredentialto authenticate.
Traits§
- Client
Assertion - Represents an entity capable of supplying a client assertion.
- Executor
Non-WebAssembly - An async command runner.
Functions§
- new_
executor Non-WebAssembly - Creates a new
Executor.