Azure authentication with the Azure Identity module for Go

In this tutorial, the DefaultAzureCredential type from the Azure Identity module for Go is used to authenticate to Azure. The Azure Identity module offers several credential types that focus on OAuth with Azure Active Directory (Azure AD).

DefaultAzureCredential simplifies authentication by combining commonly used credential types. It chains credential types used to authenticate Azure-deployed applications with credential types used to authenticate in a development environment.

Prerequisites

• Azure subscription: If you don't have an Azure subscription, create a free account before you begin.

• Go installed: Version 1.18 or above

1. Install the Azure Identity module for Go

Run the following command to download the azidentity module:

go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity

2. Authenticate with Azure

Use the DefaultAzureCredential to authenticate to Azure with one of the following techniques:

• Option 1: Define environment variables
• Option 2: Use workload identity
• Option 3: Use a managed identity
• Option 4: Sign in with Azure CLI

To learn more about the different credential types, see credential types.

Option 1: Define environment variables

The DefaultAzureCredential uses the EnvironmentCredential type to configure authentication using environment variables that supports three authentication types. Choose from the following authentication types and define the appropriate environment variables.

Service principal with a secret

Variable name	Value
AZURE_CLIENT_ID	Application ID of an Azure service principal
AZURE_TENANT_ID	ID of the application's Azure AD tenant
AZURE_CLIENT_SECRET	Password of the Azure service principal

Bash

export AZURE_TENANT_ID="<active_directory_tenant_id"
export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_CLIENT_SECRET="<service_principal_password>"

PowerShell

$env:AZURE_TENANT_ID="<active_directory_tenant_id"
$env:AZURE_CLIENT_ID="<service_principal_appid>"
$env:AZURE_CLIENT_SECRET="<service_principal_password>"

Service principal with certificate

Variable name	Value
AZURE_CLIENT_ID	ID of an Azure AD application
AZURE_TENANT_ID	ID of the application's Azure AD tenant
AZURE_CLIENT_CERTIFICATE_PATH	Path to a certificate file including private key (without password protection)

Bash

export AZURE_TENANT_ID="<active_directory_tenant_id>"
export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_CLIENT_CERTIFICATE_PATH="<azure_client_certificate_path>"

PowerShell

$env:AZURE_TENANT_ID="<active_directory_tenant_id>"
$env:AZURE_CLIENT_ID="<service_principal_appid>"
$env:AZURE_CLIENT_CERTIFICATE_PATH="<azure_client_certificate_path>"

Username and password

Variable name	Value
AZURE_CLIENT_ID	ID of an Azure AD application
AZURE_USERNAME	A username (usually an email address)
AZURE_PASSWORD	That user's password

Bash

export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_USERNAME="<azure_username>"
export AZURE_PASSWORD="<azure_user_password>"

PowerShell

$env:AZURE_CLIENT_ID="<service_principal_appid>"
$env:AZURE_USERNAME="<azure_username>"
$env:AZURE_PASSWORD="<azure_user_password>"

Configuration is attempted in the preceding order. For example, if values for a client secret and certificate are both present, the client secret is used.

Option 2: Use Workload Identity

Azure AD Workload Identity enables pods in a Kubernetes cluster to use a Kubernetes identity (service account). A Kubernetes token is issued, and OIDC federation enables Kubernetes applications to access Azure resources securely with Azure AD.

If the required environment variables for EnvironmentCredential aren't present, DefaultAzureCredential attempts to authenticate using WorkloadIdentityCredential. WorkloadIdentityCredential attempts to read the service principal configuration from environment variables set by the Workload Identity webhook.

Option 3: Use a managed identity

Managed identities eliminate the need for developers to manage credentials. By connecting to resources that support Azure AD authentication, applications can use Azure AD tokens instead of credentials.

If the required environment variables for WorkloadIdentityCredential aren't present, DefaultAzureCredential attempts to authenticate using ManagedIdentityCredential.

If using a user-assigned managed identity, run the following command to set the AZURE_CLIENT_ID environment variable.

Bash

export AZURE_CLIENT_ID="<user_assigned_managed_identity_client_id>"

PowerShell

$env:AZURE_CLIENT_ID="<user_assigned_managed_identity_client_id>"

Note

To use a system-assigned managed identity, make sure the AZURE_CLIENT_ID environment variable isn't set.

Option 4: Sign in with Azure CLI

To reduce friction in local development, DefaultAzureCredential can authenticate as the user signed into the Azure CLI.

Run the following command to sign into the Azure CLI:

az login

Azure CLI authentication isn't recommended for applications running in Azure.

3. Use DefaultAzureCredential to authenticate ResourceClient

Create a new sample Go module named azure-auth to test authenticating to Azure with DefaultAzureCredential:

1. Create a directory to test and run the sample Go code, then change into that directory.

2. Run go mod init to create a module:

   go mod init azure-auth
   

3. Run go get to download, build, and install the necessary Azure SDK for Go modules:

   go get "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
   go get "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription"
   

4. Create a file named main.go and insert the following code:

   package main
   
   import (
     "context"
   
     "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
     "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription"
   )
   
   const subscriptionID = "<subscription ID>"
   
   func main() {
     cred, err := azidentity.NewDefaultAzureCredential(nil)
     if err != nil {
       // TODO: handle error
     }
     // Azure SDK Resource Management clients accept the credential as a parameter.
     // The client will authenticate with the credential as necessary.
     client, err := armsubscription.NewSubscriptionsClient(cred, nil)
     if err != nil {
       // TODO: handle error
     }
     _, err = client.Get(context.TODO(), subscriptionID, nil)
     if err != nil {
       // TODO: handle error
     }
   }   
   
   

   Replace <subscription ID> with your subscription ID.

5. Run go run to build and run the application:

   go run .
   

Authenticate to Azure with DefaultAzureCredential

Use the following code in your application to authenticate to Azure with the Azure Identity module using DefaultAzureCredential:

// This credential type checks environment variables for configuration.
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
  // handle error
}

// Azure Resource Management clients accept the credential as a parameter
client, err := armresources.NewClient("<subscriptionId>", cred, nil)
if err != nil {
  // handle error
}

Troubleshooting

For guidance on resolving errors from specific credential types, see the troubleshooting guide.

Next steps

Learn more about using the Azure SDK for Go