Edit

Share via

Authenticate Rust apps to Azure services

Rust applications must authenticate to Azure services such as Storage, Key Vault, or Cosmos DB. This article explains how to use the Azure Identity crate to securely authenticate Rust apps in local development and server environments, improving security and simplifying credential management.

The recommended approach is to have your apps use token-based authentication, rather than connection strings or keys, when authenticating to Azure resources. The azure_identity crate provides token-based authentication and enables apps to seamlessly authenticate to Azure resources whether the app is in local development, deployed to Azure, or deployed to an on-premises server.

The specific type of token-based authentication an app should use to authenticate to Azure resources depends on where the app is running.

Environment Authentication
Local When a developer runs an app during local development - The app can authenticate to Azure using the developer's local credentials. These options are provided in more detail in the crates.io: Authenticate with development tools.
Azure When an app is hosted on Azure - The app should authenticate to Azure resources using a managed identity. This option is discussed in more detail in the crates.io documentation: Authenticate Azure-hosted applications.
On-premises When an app is hosted and deployed on-premises - The app should authenticate to Azure resources using an application service principal. This option is discussed in the crates.io documentation: Authenticate service principals.

Advantages of token-based authentication

When building apps for Azure, we strongly recommend using token-based authentication instead of secrets like connection strings or keys.

Token-based authentication Secrets (connection strings and keys)
Principle of least privilege, establish the specific permissions needed by the app on the Azure resource. A connection string or key grants full rights to the Azure resource.
There's no application secret to store. Must store and rotate secrets in app setting or environment variable.
The Azure Identity library manages tokens for you behind the scenes. This makes using token-based authentication as easy to use as a connection string. Secrets aren't managed.

Use of connection strings should be limited to initial proof of concept apps or development prototypes that don't access production or sensitive data. Otherwise, the token-based authentication classes available in the Azure Identity library should always be preferred when authenticating to Azure resources.

Authenticate during local development

When an application is run on a developer's workstation during local development, the local environment must still authenticate to any Azure services used by the app.

Authenticate with Azure CLI credential

The Azure CLI credential uses the authentication state of the Azure CLI to authenticate your Rust application. This credential is ideal for local development when you're already signed in with az login.

use azure_identity::AzureCliCredential;
use azure_security_keyvault_secrets::SecretClient;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {

    dotazure::load()?;

    let vault_url = std::env::var("AZURE_KEYVAULT_URL")
        .map_err(|_| "AZURE_KEYVAULT_URL environment variable is required")?;

    let credential = AzureCliCredential::new(None)?;

    let client = SecretClient::new(&vault_url, credential.clone(), None)?;

    Ok(())
}

Authenticate with Azure Developer CLI credential

The Azure Developer CLI credential uses the authentication state of the Azure Developer CLI (azd) to authenticate your application. This credential is useful when working with azd templates and workflows.

use azure_identity::AzureDeveloperCliCredential;
use azure_security_keyvault_secrets::SecretClient;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {

    dotazure::load()?;

    let vault_url = std::env::var("AZURE_KEYVAULT_URL")
        .map_err(|_| "AZURE_KEYVAULT_URL environment variable is required")?;

    let credential = AzureDeveloperCliCredential::new(None)?;

    let client = SecretClient::new(&vault_url, credential.clone(), None)?;

    Ok(())
}

Authenticate in server environments

In server environments, use managed identities for secure, passwordless authentication. Managed identities are automatically created and managed by Azure, so your application can authenticate without needing to store credentials.

When hosting in a server environment, assign a unique application identity to each application for each environment. In Azure, an app identity is represented by a service principal, a special type of security principal that identifies and authenticates apps to Azure. The type of service principal you use for your app depends on where your app runs.

use azure_identity::{ManagedIdentityCredential, ManagedIdentityCredentialOptions, UserAssignedId};
use azure_security_keyvault_secrets::SecretClient;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {

    dotazure::load()?;

    let vault_url = std::env::var("AZURE_KEYVAULT_URL")
        .map_err(|_| "AZURE_KEYVAULT_URL environment variable is required")?;

    let user_assigned_id: Option<UserAssignedId> = std::env::var("AZURE_USER_ASSIGNED_IDENTITY")
        .ok()
        .map(|id| UserAssignedId::ClientId(id.clone()));

    let credential_options = ManagedIdentityCredentialOptions {
        user_assigned_id,
        ..Default::default()
    };

    let credential = ManagedIdentityCredential::new(Some(credential_options))?;

    let client = SecretClient::new(vault_url.as_str(), credential.clone(), None)?;

    Ok(())
}

Sample code

The code shown in this article is available on https://github.com/azure-samples/azure-sdk-for-rust-docs/.

Additional resources