Azure authentication with the Azure SDK for Go
In this tutorial, you'll use the Default Azure Credential type from the Azure SDK for Go to authenticate to Azure with environment variables, a managed identity, or the Azure CLI.
The Azure Identity module for Go offers several different credential types that focus on OAuth with Azure Active Directory (Azure AD).
The DefaultAzureCredential
type simplifies authentication by combining commonly used credentials types. It chains together type used to authenticate deployed Azure applications with credentials used to authenticate in a development environment.
Prerequisites
- Azure subscription: If you don't have an Azure subscription, create a free account before you begin.
- Go installed: Version 1.18 or above
1. Install the Azure Identity module for Go
The Azure Identity module is used to authenticate to Azure.
Run the following command to download the azidentity module:
go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity
2. Authenticate with Azure
Use the DefaultAzureCredential
to authenticate to Azure with one of the following techniques:
- Option 1: Define environment variables
- Option 2: Use a managed identity
- Option 3: Sign in with Azure CLI
To learn more about the different credential types, see credential types.
Option 1: Define environment variables
The DefaultAzureCredential
uses the EnvironmentCredential
type to configure authentication using environment variables that supports three authentication types. Choose from the following authentication types and define the appropriate environment variables.
Service principal with a secret
Variable name | Value |
---|---|
AZURE_CLIENT_ID |
Application ID of an Azure service principal |
AZURE_TENANT_ID |
ID of the application's Azure AD tenant |
AZURE_CLIENT_SECRET |
Password of the Azure service principal |
export AZURE_TENANT_ID="<active_directory_tenant_id"
export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_CLIENT_SECRET="<service_principal_password>"
Service principal with certificate
Variable name | Value |
---|---|
AZURE_CLIENT_ID |
ID of an Azure AD application |
AZURE_TENANT_ID |
ID of the application's Azure AD tenant |
AZURE_CLIENT_CERTIFICATE_PATH |
Path to a certificate file including private key (without password protection) |
export AZURE_TENANT_ID="<active_directory_tenant_id>"
export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_CLIENT_CERTIFICATE_PATH="<azure_client_certificate_path>"
Username and password
Variable name | Value |
---|---|
AZURE_CLIENT_ID |
ID of an Azure AD application |
AZURE_USERNAME |
A username (usually an email address) |
AZURE_PASSWORD |
That user's password |
export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_USERNAME="<azure_username>"
export AZURE_PASSWORD="<azure_user_password>"
Configuration is attempted in the above order. For example, if values for a client secret and certificate are both present, the client secret will be used.
Option 2: Use a managed identity
Managed identities eliminate the need for developers to manage credentials. By connecting to resources that support Azure AD authentication, applications can use Azure AD tokens instead of credentials.
If the required environment variables for the EnvironmentCredential
credential type aren't present, the DefaultAzureCredential
will attempt to authenticate using the ManagedIdentityCredential
type.
If using a user assigned managed identity, run the following command to set the AZURE_CLIENT_ID
environment variable.
export AZURE_CLIENT_ID="<user_assigned_managed_identity_client_id>"
Option 3: Sign in with Azure CLI
To support local development, the DefaultAzureCredential
can authenticate as the user signed into the Azure CLI.
Run the following command to sign into the Azure CLI.
az login
The azidentity
module supports authenticating through developer tools to simplify local development. Azure CLI authentication isn't recommended for applications running in Azure.
3. Use DefaultAzureCredential to authenticate ResourceClient
Create a new sample Go module named azure-auth
to test authenticating to Azure with the DefaultAzureCredential
.
Create a directory to test and run the sample Go code, then change into that directory.
Run go mod init to create a module.
go mod init azure-auth
Run go get to download, build, and install the necessary Azure SDK for Go modules.
go get "github.com/Azure/azure-sdk-for-go/sdk/azidentity" go get "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources"
Create a file named
main.go
and insert the following code.package main // Import key modules. import ( "log" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources" ) // Define key global variables. var ( subscriptionId = "<subscription ID>" ) // Define the function to create a resource group. func main() { cred, err := azidentity.NewDefaultAzureCredential(nil) if err != nil { log.Fatalf("Authentication failure: %+v", err) } // Azure SDK Azure Resource Management clients accept the credential as a parameter client, _ := armresources.NewClient(subscriptionId, cred, nil) log.Print("Authenticated to subscription", client) }
Replace
<subscriptionId>
with your subscription ID.Run
go run
to build and run the app.go run .
Authenticate to Azure with DefaultAzureCredential
Use the following code in your applications to authenticate to Azure with the Azure Identity Go module using the DefaultAzureCredential
credential type.
// The default credential checks environment variables for configuration.
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
// handle error
}
// Azure SDK Azure Resource Management clients accept the credential as a parameter
client, err := armresources.NewClient("<subscription ID>", cred, nil)
if err != nil {
// handle error
}
Next steps
Feedback
Submit and view feedback for