azure-identity-rust
Azure Identity SDK for Rust authentication. Use for DeveloperToolsCredential, ManagedIdentityCredential, ClientSecretCredential, and token-based authentication.
- risk
- unknown
- source
- community
- date added
- 2026-02-27
Azure Identity SDK for Rust
Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).
Installation
cargo add azure_identity
Environment Variables
# Service Principal (for production/CI) AZURE_TENANT_ID=<your-tenant-id> AZURE_CLIENT_ID=<your-client-id> AZURE_CLIENT_SECRET=<your-client-secret> # User-assigned Managed Identity (optional) AZURE_CLIENT_ID=<managed-identity-client-id>
DeveloperToolsCredential
The recommended credential for local development. Tries developer tools in order (Azure CLI, Azure Developer CLI):
use azure_identity::DeveloperToolsCredential; use azure_security_keyvault_secrets::SecretClient; let credential = DeveloperToolsCredential::new(None)?; let client = SecretClient::new( "https://my-vault.vault.azure.net/", credential.clone(), None, )?;
Credential Chain Order
| Order | Credential | Environment |
|---|---|---|
| 1 | AzureCliCredential | az login |
| 2 | AzureDeveloperCliCredential | azd auth login |
Credential Types
| Credential | Usage |
|---|---|
DeveloperToolsCredential | Local development - tries CLI tools |
ManagedIdentityCredential | Azure VMs, App Service, Functions, AKS |
WorkloadIdentityCredential | Kubernetes workload identity |
ClientSecretCredential | Service principal with secret |
ClientCertificateCredential | Service principal with certificate |
AzureCliCredential | Direct Azure CLI auth |
AzureDeveloperCliCredential | Direct azd CLI auth |
AzurePipelinesCredential | Azure Pipelines service connection |
ClientAssertionCredential | Custom assertions (federated identity) |
ManagedIdentityCredential
For Azure-hosted resources:
use azure_identity::ManagedIdentityCredential; // System-assigned managed identity let credential = ManagedIdentityCredential::new(None)?; // User-assigned managed identity let options = ManagedIdentityCredentialOptions { client_id: Some("<user-assigned-mi-client-id>".into()), ..Default::default() }; let credential = ManagedIdentityCredential::new(Some(options))?;
ClientSecretCredential
For service principal with secret:
use azure_identity::ClientSecretCredential; let credential = ClientSecretCredential::new( "<tenant-id>".into(), "<client-id>".into(), "<client-secret>".into(), None, )?;
Best Practices
- Use
DeveloperToolsCredentialfor local dev — automatically picks up Azure CLI - Use
ManagedIdentityCredentialin production — no secrets to manage - Clone credentials — credentials are
Arc-wrapped and cheap to clone - Reuse credential instances — same credential can be used with multiple clients
- Use
tokiofeature —cargo add azure_identity --features tokio
Reference Links
| Resource | Link |
|---|---|
| API Reference | https://docs.rs/azure_identity |
| Source Code | https://github.com/Azure/azure-sdk-for-rust/tree/main/sdk/identity/azure_identity |
| crates.io | https://crates.io/crates/azure_identity |
When to Use
This skill is applicable to execute the workflow or actions described in the overview.