name: azure-identity-rust description: | Azure Identity library for Rust. Microsoft Entra ID authentication for all Azure SDK clients. Triggers: "azure identity rust", "DeveloperToolsCredential", "authentication rust", "managed identity rust", "credential rust", "Entra ID rust". license: MIT metadata: author: Microsoft package: azure_identity
Azure Identity library for Rust
Microsoft Entra ID authentication for Azure SDK clients.
Use this skill when:
- An app needs to authenticate to Azure services from Rust
- You need
DeveloperToolsCredentialfor local development - You need
ManagedIdentityCredentialfor Azure-hosted workloads - You need service principal auth with secret or certificate
IMPORTANT: Only use official
azure_*crates published by the azure-sdk crates.io user. Do NOT use the deprecatedazure_sdk_*crates (MindFlavor/AzureSDKForRust) or community crates. Official crates use underscores in names and none have version 0.21.0.
Note: The Rust SDK does not have
DefaultAzureCredential. UseDeveloperToolsCredentialfor local development andManagedIdentityCredentialfor production.
Installation
cargo add azure_identity tokio
Do not add
azure_coredirectly toCargo.toml. It is re-exported by service crates.
Environment Variables
AZURE_TENANT_ID=<your-tenant-id> # Required for service principal auth
AZURE_CLIENT_ID=<your-client-id> # Required for service principal or user-assigned managed identity
AZURE_CLIENT_SECRET=<your-client-secret> # Required for ClientSecretCredential
Authentication
DeveloperToolsCredential (Local Development)
Tries Azure CLI then Azure Developer CLI:
use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_secrets::SecretClient;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
// Local dev: DeveloperToolsCredential. Production: use ManagedIdentityCredential.
let credential = DeveloperToolsCredential::new(None)?;
let client = SecretClient::new(
"https://<vault-name>.vault.azure.net/",
credential.clone(),
None,
)?;
let secret = client.get_secret("secret-name", None).await?.into_model()?;
println!("Secret: {:?}", secret.value);
Ok(())
}
Ensure you are logged in:
az login # Azure CLI
azd auth login # or Azure Developer CLI
| Order | Credential | Login Command |
|---|---|---|
| 1 | AzureCliCredential | az login |
| 2 | AzureDeveloperCliCredential | azd auth login |
ManagedIdentityCredential (Production)
For Azure-hosted resources (VMs, App Service, Functions, AKS):
use azure_identity::ManagedIdentityCredential;
// System-assigned managed identity
let credential = ManagedIdentityCredential::new(None)?;
// User-assigned managed identity
let options = ManagedIdentityCredentialOptions {
client_id: Some("<managed-identity-client-id>".into()),
..Default::default()
};
let credential = ManagedIdentityCredential::new(Some(options))?;
ClientSecretCredential (Service Principal)
For CI/CD pipelines and service accounts:
use azure_identity::ClientSecretCredential;
let credential = ClientSecretCredential::new(
"<tenant-id>",
"<client-id>",
"<client-secret>",
None,
)?;
Credential Types
| Credential | Use Case |
|---|---|
DeveloperToolsCredential | Local development — tries CLI tools |
ManagedIdentityCredential | Azure VMs, App Service, Functions, AKS |
WorkloadIdentityCredential | Kubernetes workload identity |
ClientSecretCredential | Service principal with secret |
ClientCertificateCredential | Service principal with certificate |
AzureCliCredential | Direct Azure CLI auth |
AzureDeveloperCliCredential | Direct azd CLI auth |
AzurePipelinesCredential | Azure Pipelines service connection |
ClientAssertionCredential | Custom assertions (federated identity) |
Best Practices
- Use
DeveloperToolsCredentialfor local dev,ManagedIdentityCredentialfor production — the Rust SDK does not haveDefaultAzureCredential - Never hardcode credentials — use environment variables for service principals
- Clone credentials — pass
credential.clone()when constructing multiple clients; credentials areArc-wrapped - Reuse clients — clients are thread-safe; create once, share across tasks
- Assign RBAC roles — ensure the identity has appropriate roles for the target service (e.g., "Key Vault Secrets User" for secret reads)
Reference Links
| Resource | Link |
|---|---|
| API Reference | https://docs.rs/azure_identity |
| crates.io | https://crates.io/crates/azure_identity |