Lib.rs

Network programming | AuthenticationAzure
#iot #azure-api #cloud-iot #azure #sdk

azure_identity

Rust wrappers around Microsoft Azure REST APIs - Azure identity helper crate

by Patrick Hallisey, Heath Stewart, Azure, Azure SDK Bot and 2 contributors

23 breaking releases

new 0.24.0 May 6, 2025
0.22.0 Feb 18, 2025
0.21.0 Oct 15, 2024
0.20.0 Apr 24, 2024
0.1.1 Jan 25, 2022

#23 in Network programming

Download history 19889/week @ 2025-01-15 27559/week @ 2025-01-22 31981/week @ 2025-01-29 59918/week @ 2025-02-05 60639/week @ 2025-02-12 48410/week @ 2025-02-19 56323/week @ 2025-02-26 45482/week @ 2025-03-05 74943/week @ 2025-03-12 989599/week @ 2025-03-19 357294/week @ 2025-03-26 288401/week @ 2025-04-02 244342/week @ 2025-04-09 107630/week @ 2025-04-16 94601/week @ 2025-04-23 95086/week @ 2025-04-30

606,328 downloads per month
Used in 33 crates (25 directly)

MIT license

490KB
10K SLoC

Azure Identity client library for Rust

The Azure Identity library provides Microsoft Entra ID (formerly Azure Active Directory) token authentication support across the Azure SDK. It provides a set of TokenCredential implementations that can be used to construct Azure SDK clients that support Microsoft Entra token authentication.

Source code | Package (crates.io) | API reference documentation | Microsoft Entra ID documentation

Getting started

Install the package

Install the Azure Identity library for Rust with cargo:

cargo add azure_identity

Prerequisites

  • An Azure subscription.
  • The Azure CLI can also be useful for authenticating in a development environment, creating accounts, and managing account roles.

Authenticate during local development

When debugging and executing code locally, it's typical for developers to use their own accounts for authenticating calls to Azure services. The Azure Identity library supports authenticating through developer tools to simplify local development.

Authenticate via the Azure CLI

DefaultAzureCredential and AzureCliCredential can authenticate as the user signed in to the Azure CLI. To sign in to the Azure CLI, run az login. On a system with a default web browser, the Azure CLI launches the browser to authenticate a user.

When no default browser is available, az login uses the device code authentication flow. This flow can also be selected manually by running az login --use-device-code.

Key concepts

Credentials

A credential is a class that contains or can obtain the data needed for a service client to authenticate requests. Service clients across the Azure SDK accept a credential instance when they're constructed, and use that credential to authenticate requests.

The Azure Identity library focuses on OAuth authentication with Microsoft Entra ID. It offers various credential classes capable of acquiring a Microsoft Entra access token. See the Credential classes section for a list of this library's credential classes.

DefaultAzureCredential

DefaultAzureCredential simplifies authentication while developing apps that deploy to Azure by combining credentials used in Azure hosting environments with credentials used in local development.

Continuation policy

DefaultAzureCredential attempts to authenticate with all developer credentials until one succeeds, regardless of any errors previous developer credentials experienced. For example, a developer credential may attempt to get a token and fail, so DefaultAzureCredential will continue to the next credential in the flow. Deployed service credentials stop the flow with a thrown exception if they're able to attempt token retrieval, but don't receive one.

This allows for trying all of the developer credentials on your machine while having predictable deployed behavior.

Examples

The following examples are provided:

Authenticate with DefaultAzureCredential

More details on configuring your environment to use DefaultAzureCredential can be found in the class's reference documentation.

This example demonstrates authenticating the SecretClient from the azure_security_keyvault_secrets crate using DefaultAzureCredential.

use azure_identity::DefaultAzureCredential;
use azure_security_keyvault_secrets::SecretClient;

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let credential = DefaultAzureCredential::new()?;
    let client = SecretClient::new("https://your-key-vault-name.vault.azure.net/", credential.clone(), None)?;
    Ok(())
}

Authenticate with ClientAssertionCredential

This example demonstrates how to use the ClientAssertionCredential in conjunction with VirtualMachineManagedIdentityCredential in order to retrieve an access token as an app registration that a virtual machine identity has been federated for, which can be used in "service to service" authentication flows. For more details on this scenario see Configure an application to trust a managed identity

use azure_core::credentials::{AccessToken, TokenCredential};
use azure_identity::{ClientAssertion, ClientAssertionCredential, TokenCredentialOptions, ManagedIdentityCredential};
use std::sync::Arc;

#[derive(Debug)]
struct VmClientAssertion {
    credential: Arc<dyn TokenCredential>,
    scope: String,
}

#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
impl ClientAssertion for VmClientAssertion {
    async fn secret(&self) -> azure_core::Result<String> {
        Ok(self
            .credential
            .get_token(&[&self.scope])
            .await?
            .token
            .secret()
            .to_string())
    }
}

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
        let assertion = VmClientAssertion {
        credential: ManagedIdentityCredential::new(None)?,
        scope: String::from("api://AzureADTokenExchange/.default"),
    };

    let client_assertion_credential = ClientAssertionCredential::new(
        String::from("guid-for-aad-tenant-id"),
        String::from("guid-for-app-id-of-client-app-registration"),
        assertion,
        None,
    )?;

    let fic_scope = String::from("your-service-app.com/scope");
    let fic_token = client_assertion_credential.get_token(&[&fic_scope]).await?;
    Ok(())
}

Credential classes

Credential chains

Credential Usage
DefaultAzureCredential Provides a simplified authentication experience to quickly start developing applications run in Azure.

Authenticate Azure-hosted applications

Credential Usage
WorkloadIdentityCredential Supports Microsoft Entra Workload ID on Kubernetes.

Authenticate service principals

Credential Usage Reference
ClientCertificateCredential Authenticates a service principal using a certificate. Service principal authentication

Authenticate via development tools

Credential Usage Reference
AzureCliCredential Authenticates in a development environment with the Azure CLI. Azure CLI authentication

Next steps

Client library support

Client and management libraries listed on the Azure SDK release pagethat support Microsoft Entra authentication accept credentials from this library. You can learn more about using these libraries in their documentation, which is available at Docs.rs.

Provide feedback

If you encounter bugs or have suggestions, open an issue.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.microsoft.com.

When you submit a pull request, a CLA-bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions provided by the bot. You'll only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

Dependencies

~8–23MB
~337K SLoC