21 breaking releases
| new 0.22.0 | Feb 18, 2025 |
|---|---|
| 0.21.0 | Oct 15, 2024 |
| 0.20.0 | Apr 24, 2024 |
| 0.19.0 | Jan 5, 2024 |
| 0.1.1 | Jan 25, 2022 |
#16 in Authentication
163,488 downloads per month
Used in 28 crates
(21 directly)
505KB
11K
SLoC
Azure Identity client library for Rust
The Azure Identity library provides Microsoft Entra ID (formerly Azure Active Directory) token authentication support across the Azure SDK. It provides a set of TokenCredential implementations that can be used to construct Azure SDK clients that support Microsoft Entra token authentication.
Source code | Package (crates.io) | API reference documentation | Microsoft Entra ID documentation
Getting started
Install the package
Install the Azure Identity library for Rust with cargo:
cargo add azure_identity
Prerequisites
- An Azure subscription.
- The Azure CLI can also be useful for authenticating in a development environment, creating accounts, and managing account roles.
Authenticate during local development
When debugging and executing code locally, it's typical for developers to use their own accounts for authenticating calls to Azure services. The Azure Identity library supports authenticating through developer tools to simplify local development.
Authenticate via the Azure CLI
DefaultAzureCredential and AzureCliCredential can authenticate as the user signed in to the Azure CLI. To sign in to the Azure CLI, run az login. On a system with a default web browser, the Azure CLI launches the browser to authenticate a user.
When no default browser is available, az login uses the device code authentication flow. This flow can also be selected manually by running az login --use-device-code.
Key concepts
Credentials
A credential is a class that contains or can obtain the data needed for a service client to authenticate requests. Service clients across the Azure SDK accept a credential instance when they're constructed, and use that credential to authenticate requests.
The Azure Identity library focuses on OAuth authentication with Microsoft Entra ID. It offers various credential classes capable of acquiring a Microsoft Entra access token. See the Credential classes section for a list of this library's credential classes.
DefaultAzureCredential
DefaultAzureCredential simplifies authentication while developing apps that deploy to Azure by combining credentials used in Azure hosting environments with credentials used in local development.
Continuation policy
DefaultAzureCredential attempts to authenticate with all developer credentials until one succeeds, regardless of any errors previous developer credentials experienced. For example, a developer credential may attempt to get a token and fail, so DefaultAzureCredential will continue to the next credential in the flow. Deployed service credentials stop the flow with a thrown exception if they're able to attempt token retrieval, but don't receive one.
This allows for trying all of the developer credentials on your machine while having predictable deployed behavior.
Examples
The following examples are provided:
Authenticate with DefaultAzureCredential
More details on configuring your environment to use DefaultAzureCredential can be found in the class's reference documentation.
This example demonstrates authenticating the SecretClient from the azure_security_keyvault_secrets crate using DefaultAzureCredential.
use azure_identity::DefaultAzureCredential;
use azure_security_keyvault_secrets::SecretClient;
fn main() -> Result<(), Box<dyn std::error::Error>> {
let credential = DefaultAzureCredential::new()?;
let client = SecretClient::new("https://your-key-vault-name.vault.azure.net/", credential.clone(), None)?;
Ok(())
}
Credential classes
Credential chains
| Credential | Usage |
|---|---|
DefaultAzureCredential |
Provides a simplified authentication experience to quickly start developing applications run in Azure. |
Authenticate Azure-hosted applications
| Credential | Usage |
|---|---|
ImdsManagedIdentityCredential |
Authenticates the managed identity of an Azure resource. |
WorkloadIdentityCredential |
Supports Microsoft Entra Workload ID on Kubernetes. |
Authenticate service principals
| Credential | Usage | Reference |
|---|---|---|
ClientCertificateCredential |
Authenticates a service principal using a certificate. | Service principal authentication |
Authenticate via development tools
| Credential | Usage | Reference |
|---|---|---|
AzureCliCredential |
Authenticates in a development environment with the Azure CLI. | Azure CLI authentication |
Next steps
Client library support
Client and management libraries listed on the Azure SDK release pagethat support Microsoft Entra authentication accept credentials from this library. You can learn more about using these libraries in their documentation, which is available at Docs.rs.
Provide feedback
If you encounter bugs or have suggestions, open an issue.
Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.
When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You'll only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Dependencies
~10–25MB
~368K SLoC