playbooks

home / skills / sickn33 / antigravity-awesome-skills / azure-identity-rust

azure-identity-rust skill

/skills/azure-identity-rust

This skill helps Rust developers integrate Azure Identity authentication, enabling tools like DeveloperToolsCredential and ManagedIdentityCredential for

npx playbooks add skill sickn33/antigravity-awesome-skills --skill azure-identity-rust

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
3.4 KB
---
name: azure-identity-rust
description: |
  Azure Identity SDK for Rust authentication. Use for DeveloperToolsCredential, ManagedIdentityCredential, ClientSecretCredential, and token-based authentication.
  Triggers: "azure-identity", "DeveloperToolsCredential", "authentication rust", "managed identity rust", "credential rust".
package: azure_identity
---

# Azure Identity SDK for Rust

Authentication library for Azure SDK clients using Microsoft Entra ID (formerly Azure AD).

## Installation

```sh
cargo add azure_identity
```

## Environment Variables

```bash
# Service Principal (for production/CI)
AZURE_TENANT_ID=<your-tenant-id>
AZURE_CLIENT_ID=<your-client-id>
AZURE_CLIENT_SECRET=<your-client-secret>

# User-assigned Managed Identity (optional)
AZURE_CLIENT_ID=<managed-identity-client-id>
```

## DeveloperToolsCredential

The recommended credential for local development. Tries developer tools in order (Azure CLI, Azure Developer CLI):

```rust
use azure_identity::DeveloperToolsCredential;
use azure_security_keyvault_secrets::SecretClient;

let credential = DeveloperToolsCredential::new(None)?;
let client = SecretClient::new(
    "https://my-vault.vault.azure.net/",
    credential.clone(),
    None,
)?;
```

### Credential Chain Order

| Order | Credential | Environment |
|-------|-----------|-------------|
| 1 | AzureCliCredential | `az login` |
| 2 | AzureDeveloperCliCredential | `azd auth login` |

## Credential Types

| Credential | Usage |
|------------|-------|
| `DeveloperToolsCredential` | Local development - tries CLI tools |
| `ManagedIdentityCredential` | Azure VMs, App Service, Functions, AKS |
| `WorkloadIdentityCredential` | Kubernetes workload identity |
| `ClientSecretCredential` | Service principal with secret |
| `ClientCertificateCredential` | Service principal with certificate |
| `AzureCliCredential` | Direct Azure CLI auth |
| `AzureDeveloperCliCredential` | Direct azd CLI auth |
| `AzurePipelinesCredential` | Azure Pipelines service connection |
| `ClientAssertionCredential` | Custom assertions (federated identity) |

## ManagedIdentityCredential

For Azure-hosted resources:

```rust
use azure_identity::ManagedIdentityCredential;

// System-assigned managed identity
let credential = ManagedIdentityCredential::new(None)?;

// User-assigned managed identity
let options = ManagedIdentityCredentialOptions {
    client_id: Some("<user-assigned-mi-client-id>".into()),
    ..Default::default()
};
let credential = ManagedIdentityCredential::new(Some(options))?;
```

## ClientSecretCredential

For service principal with secret:

```rust
use azure_identity::ClientSecretCredential;

let credential = ClientSecretCredential::new(
    "<tenant-id>".into(),
    "<client-id>".into(),
    "<client-secret>".into(),
    None,
)?;
```

## Best Practices

1. **Use `DeveloperToolsCredential` for local dev** — automatically picks up Azure CLI
2. **Use `ManagedIdentityCredential` in production** — no secrets to manage
3. **Clone credentials** — credentials are `Arc`-wrapped and cheap to clone
4. **Reuse credential instances** — same credential can be used with multiple clients
5. **Use `tokio` feature** — `cargo add azure_identity --features tokio`

## Reference Links

| Resource | Link |
|----------|------|
| API Reference | https://docs.rs/azure_identity |
| Source Code | https://github.com/Azure/azure-sdk-for-rust/tree/main/sdk/identity/azure_identity |
| crates.io | https://crates.io/crates/azure_identity |

Overview

This skill wraps the Azure Identity SDK for Rust to simplify authentication for Azure SDK clients. It provides convenient credential types for local development and production, including DeveloperToolsCredential, ManagedIdentityCredential, and ClientSecretCredential. Use it to obtain tokens and plug into Azure service clients like Key Vault, Storage, and more.

How this skill works

The skill exposes Rust credential types that implement token acquisition against Microsoft Entra ID (Azure AD). DeveloperToolsCredential probes local developer tooling (Azure CLI, Azure Developer CLI). ManagedIdentityCredential uses the platform-managed identity endpoints in Azure hosts, while ClientSecretCredential performs service principal authentication. Credentials are Arc-wrapped and inexpensive to clone for reuse across clients.

When to use it

  • Local development: DeveloperToolsCredential to inherit az/azd login state.
  • Production on Azure: ManagedIdentityCredential for VM, App Service, Functions, or AKS.
  • CI/CD or service principals: ClientSecretCredential for non-interactive auth.
  • Kubernetes workloads: WorkloadIdentityCredential for federated identity.
  • Scripting or local tooling: AzureCliCredential or AzureDeveloperCliCredential for explicit CLI auth.

Best practices

  • Prefer DeveloperToolsCredential locally to avoid embedding secrets.
  • Use ManagedIdentityCredential in production to eliminate secret management.
  • Reuse and clone credential instances across clients; credentials are Arc-wrapped and cheap to clone.
  • Enable the tokio feature for async runtimes: cargo add azure_identity --features tokio.
  • Store tenant/client IDs and secrets in environment variables or managed configuration; avoid hard-coding secrets.

Example use cases

  • Access Key Vault secrets from a local tool using DeveloperToolsCredential and SecretClient.
  • Run a microservice on AKS that calls Azure Storage using ManagedIdentityCredential without secrets.
  • Authenticate a backend service in CI using ClientSecretCredential and environment variables for tenant/client/secret.
  • Use WorkloadIdentityCredential for Kubernetes pods with federated identity to obtain tokens.

FAQ

How do I pick the right credential for local vs production?

Use DeveloperToolsCredential for development and ManagedIdentityCredential for Azure-hosted production. ClientSecretCredential is for service principals or CI where managed identity is not available.

Are credentials safe to share between clients?

Yes. Credentials are Arc-wrapped and cheap to clone. Create one instance and reuse it across multiple Azure SDK clients.