Azure authentication with the Azure Identity module for Go
In this tutorial, the DefaultAzureCredential type from the Azure Identity module for Go is used to authenticate to Azure. The Azure Identity module offers several credential types that focus on OAuth with Azure Active Directory (Azure AD).
DefaultAzureCredential
simplifies authentication by combining commonly used credential types. It chains credential types used to authenticate Azure-deployed applications with credential types used to authenticate in a development environment.
Prerequisites
- Azure subscription: If you don't have an Azure subscription, create a free account before you begin.
- Go installed: Version 1.18 or above
1. Install the Azure Identity module for Go
Run the following command to download the azidentity module:
go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity
2. Authenticate with Azure
Use the DefaultAzureCredential
to authenticate to Azure with one of the following techniques:
- Option 1: Define environment variables
- Option 2: Use workload identity
- Option 3: Use a managed identity
- Option 4: Sign in with Azure CLI
To learn more about the different credential types, see credential types.
Option 1: Define environment variables
The DefaultAzureCredential
uses the EnvironmentCredential
type to configure authentication using environment variables that supports three authentication types. Choose from the following authentication types and define the appropriate environment variables.
Service principal with a secret
Variable name | Value |
---|---|
AZURE_CLIENT_ID |
Application ID of an Azure service principal |
AZURE_TENANT_ID |
ID of the application's Azure AD tenant |
AZURE_CLIENT_SECRET |
Password of the Azure service principal |
export AZURE_TENANT_ID="<active_directory_tenant_id"
export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_CLIENT_SECRET="<service_principal_password>"
Service principal with certificate
Variable name | Value |
---|---|
AZURE_CLIENT_ID |
ID of an Azure AD application |
AZURE_TENANT_ID |
ID of the application's Azure AD tenant |
AZURE_CLIENT_CERTIFICATE_PATH |
Path to a certificate file including private key (without password protection) |
export AZURE_TENANT_ID="<active_directory_tenant_id>"
export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_CLIENT_CERTIFICATE_PATH="<azure_client_certificate_path>"
Username and password
Variable name | Value |
---|---|
AZURE_CLIENT_ID |
ID of an Azure AD application |
AZURE_USERNAME |
A username (usually an email address) |
AZURE_PASSWORD |
That user's password |
export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_USERNAME="<azure_username>"
export AZURE_PASSWORD="<azure_user_password>"
Configuration is attempted in the preceding order. For example, if values for a client secret and certificate are both present, the client secret is used.
Option 2: Use Workload Identity
Azure AD Workload Identity enables pods in a Kubernetes cluster to use a Kubernetes identity (service account). A Kubernetes token is issued, and OIDC federation enables Kubernetes applications to access Azure resources securely with Azure AD.
If the required environment variables for EnvironmentCredential
aren't present, DefaultAzureCredential
attempts to authenticate using WorkloadIdentityCredential. WorkloadIdentityCredential
attempts to read the service principal configuration from environment variables set by the Workload Identity webhook.
Option 3: Use a managed identity
Managed identities eliminate the need for developers to manage credentials. By connecting to resources that support Azure AD authentication, applications can use Azure AD tokens instead of credentials.
If the required environment variables for WorkloadIdentityCredential
aren't present, DefaultAzureCredential
attempts to authenticate using ManagedIdentityCredential.
If using a user-assigned managed identity, run the following command to set the AZURE_CLIENT_ID
environment variable.
export AZURE_CLIENT_ID="<user_assigned_managed_identity_client_id>"
Option 4: Sign in with Azure CLI
To reduce friction in local development, DefaultAzureCredential
can authenticate as the user signed into the Azure CLI.
Run the following command to sign into the Azure CLI:
az login
Azure CLI authentication isn't recommended for applications running in Azure.
3. Use DefaultAzureCredential to authenticate ResourceClient
Create a new sample Go module named azure-auth
to test authenticating to Azure with DefaultAzureCredential
:
Create a directory to test and run the sample Go code, then change into that directory.
Run go mod init to create a module:
go mod init azure-auth
Run go get to download, build, and install the necessary Azure SDK for Go modules:
go get "github.com/Azure/azure-sdk-for-go/sdk/azidentity" go get "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription"
Create a file named
main.go
and insert the following code:package main import ( "context" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription" ) const subscriptionID = "<subscription ID>" func main() { cred, err := azidentity.NewDefaultAzureCredential(nil) if err != nil { // TODO: handle error } // Azure SDK Resource Management clients accept the credential as a parameter. // The client will authenticate with the credential as necessary. client, err := armsubscription.NewSubscriptionsClient(cred, nil) if err != nil { // TODO: handle error } _, err = client.Get(context.TODO(), subscriptionID, nil) if err != nil { // TODO: handle error } }
Replace
<subscription ID>
with your subscription ID.Run
go run
to build and run the application:go run .
Authenticate to Azure with DefaultAzureCredential
Use the following code in your application to authenticate to Azure with the Azure Identity module using DefaultAzureCredential
:
// This credential type checks environment variables for configuration.
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
// handle error
}
// Azure Resource Management clients accept the credential as a parameter
client, err := armresources.NewClient("<subscriptionId>", cred, nil)
if err != nil {
// handle error
}
Troubleshooting
For guidance on resolving errors from specific credential types, see the troubleshooting guide.
Next steps
Feedback
Submit and view feedback for