Azure Identity library for Rust

Microsoft Entra ID authentication for Azure SDK clients.

Use this skill when:

• An app needs to authenticate to Azure services from Rust
• You need DeveloperToolsCredential for local development
• You need ManagedIdentityCredential for Azure-hosted workloads
• You need service principal auth with secret or certificate

IMPORTANT: Only use official azure_* crates published by the azure-sdk crates.io user. Do NOT use the deprecated azure_sdk_* crates (MindFlavor/AzureSDKForRust) or community crates. Official crates use underscores in names and none have version 0.21.0.

Note: The Rust SDK does not have DefaultAzureCredential. Use DeveloperToolsCredential for local development and ManagedIdentityCredential for production.

Installation

cargo add azure_identity tokio

Do not add azure_core directly to Cargo.toml. It is re-exported by service crates.

Environment Variables

AZURE_TENANT_ID=<your-tenant-id>         # Required for service principal auth
AZURE_CLIENT_ID=<your-client-id>         # Required for service principal or user-assigned managed identity
AZURE_CLIENT_SECRET=<your-client-secret> # Required for ClientSecretCredential

Authentication

DeveloperToolsCredential (Local Development)

Tries Azure CLI then Azure Developer CLI:

use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_secrets::SecretClient;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Local dev: DeveloperToolsCredential. Production: use ManagedIdentityCredential.
    let credential = DeveloperToolsCredential::new(None)?;
    let client = SecretClient::new(
        "https://<vault-name>.vault.azure.net/",
        credential.clone(),
        None,
    )?;

    let secret = client.get_secret("secret-name", None).await?.into_model()?;
    println!("Secret: {:?}", secret.value);
    Ok(())
}

Ensure you are logged in:

az login        # Azure CLI
azd auth login  # or Azure Developer CLI

ManagedIdentityCredential (Production)

For Azure-hosted resources (VMs, App Service, Functions, AKS):

use azure_identity::ManagedIdentityCredential;

// System-assigned managed identity
let credential = ManagedIdentityCredential::new(None)?;

// User-assigned managed identity
let options = ManagedIdentityCredentialOptions {
    client_id: Some("<managed-identity-client-id>".into()),
    ..Default::default()
};
let credential = ManagedIdentityCredential::new(Some(options))?;

ClientSecretCredential (Service Principal)

For CI/CD pipelines and service accounts:

use azure_identity::ClientSecretCredential;

let credential = ClientSecretCredential::new(
    "<tenant-id>",
    "<client-id>",
    "<client-secret>",
    None,
)?;

Credential Types

Best Practices

1. Use DeveloperToolsCredential for local dev, ManagedIdentityCredential for production — the Rust SDK does not have DefaultAzureCredential
2. Never hardcode credentials — use environment variables for service principals
3. Clone credentials — pass credential.clone() when constructing multiple clients; credentials are Arc-wrapped
4. Reuse clients — clients are thread-safe; create once, share across tasks
5. Assign RBAC roles — ensure the identity has appropriate roles for the target service (e.g., "Key Vault Secrets User" for secret reads)

Reference Links