Authenticate to Azure resources from Go apps hosted on-premises

Apps hosted outside of Azure, like on-premises or at a data center, should use an application service principal to authenticate to Azure when accessing Azure resources. Application service principal objects are created using the app registration process in Azure. When you create an application service principal, a client ID and client secret are generated for your app. Store the client ID, client secret, and your tenant ID in environment variables so the Azure SDK for Go can use them to authenticate your app to Azure at runtime.

Create a different app registration for each environment where the app is hosted. This setup lets you configure environment-specific resource permissions for each service principal and ensures that an app deployed to one environment doesn't access Azure resources in another environment.

1 - Register the application in Azure

You can register an app with Azure using either the Azure portal or the Azure CLI.

Azure CLI

az ad sp create-for-rbac --name <app-name>

The command output is similar to the following. Note these values or keep this window open because you need them in the next steps and can't view the password (client secret) value again.

{
  "appId": "00001111-aaaa-2222-bbbb-3333cccc4444",
  "displayName": "msdocs-python-sdk-auth-prod",
  "password": "Ee5Ff~6Gg7.-Hh8Ii9Jj0Kk1Ll2Mm3_Nn4Oo5Pp6",
  "tenant": "aaaabbbb-0000-cccc-1111-dddd2222eeee"
}

Azure portal

Sign in to the Azure portal and complete these steps.

Instructions	Screenshot
In the Azure portal: Enter app registrations in the search bar at the top of the Azure portal. Select the item labeled App registrations under the under Services heading on the menu that appears below the search bar.
On the App registrations page, select + New registration.
On the Register an application page, fill out the form as follows. Name → Enter a name for the app registration in Azure. It is recommended this name include the app name and environment (test, prod) the app registration is for. Supported account types → Accounts in this organizational directory only. Select Register to register your app and create the application service principal.
On the App registration page for your app: Application (client) ID → This is the app ID that your app will use to access Azure during local development. Copy this value to a temporary location in a text editor as you'll need it in a future step. Directory (tenant) ID → This value will also be needed by your app when it authenticates to Azure. Copy this value to a temporary location in a text editor it will also be needed it in a future step. Client credentials → You must set the client credentials for the app before your app can authenticate to Azure and use Azure services. Select Add a certificate or secret to add credentials for your app.
On the Certificates & secrets page, select + New client secret.
The Add a client secret dialog will pop out from the right-hand side of the page. In this dialog: Description → Enter a value of Current. Expires → Select a value of 24 months. Select Add to add the secret. IMPORTANT: Set a reminder in your calendar prior to the expiration date of the secret. This way, you can add a new secret prior and update your apps prior to the expiration of this secret and avoid a service interruption in your app.
The Certificates & secrets page shows the value of the client secret. Copy this value to a temporary location in a text editor because you need it in a future step. IMPORTANT: This is the only time you will see this value. Once you leave or refresh this page, you won't be able to see this value again. You may add another client secret without invalidating this client secret, but you won't see this value again.

2 - Assign roles to the application service principal

Next, you need to determine what roles (permissions) your app needs on what resources and assign those roles to your app. Roles can be assigned a role at a resource, resource group, or subscription scope. This example shows how to assign roles for the service principal at the resource group scope because most applications group all their Azure resources into a single resource group.

Azure CLI

Assign a role to a service principal in Azure using the az role assignment create command.

az role assignment create --assignee {appId} \
    --scope /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName} \
    --role "{roleName}" 

To get the role names that a service principal can be assigned to, use the az role definition list command.

az role definition list \
    --query "sort_by([].{roleName:roleName, description:description}, &roleName)" \
    --output table

For example, to allow the service principal with the appId of 00001111-aaaa-2222-bbbb-3333cccc4444 read, write, and delete access to Azure Storage blob containers and data in all storage accounts in the msdocs-go-sdk-auth-example resource group in the subscription with ID aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e, you would assign the application service principal to the Storage Blob Data Contributor role using the following command.

az role assignment create --assignee 00001111-aaaa-2222-bbbb-3333cccc4444 \
    --scope /subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/msdocs-go-sdk-auth-example \
    --role "Storage Blob Data Contributor"

For information on assigning permissions at the resource or subscription level using the Azure CLI, see the article Assign Azure roles using the Azure CLI.

Azure portal

Instructions	Screenshot
Locate the resource group for your application by searching for the resource group name using the search box at the top of the Azure portal. Navigate to your resource group by selecting the resource group name under the Resource Groups heading in the dialog box.
On the page for the resource group, select Access control (IAM) from the left-hand menu.
On the Access control (IAM) page: Select the Role assignments tab. Select + Add from the top menu and then Add role assignment from the resulting drop-down menu.
The Add role assignment page lists all of the roles that can be assigned for the resource group. Use the search box to filter the list to a more manageable size. This example shows how to filter for Storage Blob roles. Select the role that you want to assign. Select Next to go to the next screen.
The next Add role assignment page allows you to specify what user to assign the role to. Select User, group, or service principal under Assign access to. Select + Select members under Members A dialog box opens on the right-hand side of the Azure portal.
In the Select members dialog: The Select text box can be used to filter the list of users and groups in your subscription. If needed, type the first few characters of the service principal you created for the app to filter the list. Select the service principal associated with your application. Select Select at the bottom of the dialog to continue.
The service principal shows as selected on the Add role assignment screen. Select Review + assign to go to the final page and then Review + assign again to complete the process.

3 - Configure environment variables for application

Set the AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_CLIENT_SECRET environment variables for the process running your Go app to make the application service principal credentials available at runtime. The DefaultAzureCredential object retrieves the service principal information from these environment variables.

Variable name	Value
AZURE_CLIENT_ID	Application ID of an Azure service principal
AZURE_TENANT_ID	Tenant ID of the application's Microsoft Entra tenant
AZURE_CLIENT_SECRET	Password of the Azure service principal

Bash

export AZURE_TENANT_ID="<active_directory_tenant_id>"
export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_CLIENT_SECRET="<service_principal_password>"

PowerShell

$env:AZURE_TENANT_ID="<active_directory_tenant_id>"
$env:AZURE_CLIENT_ID="<service_principal_appid>"
$env:AZURE_CLIENT_SECRET="<service_principal_password>"

4 - Implement DefaultAzureCredential in your application

To authenticate Azure SDK client objects to Azure, your application should use the DefaultAzureCredential type from the azidentity package.

Start by adding the azidentity package to your application.

go get github.com/Azure/azure-sdk-for-go/sdk/azidentity

Next, for any Go code that instantiates an Azure SDK client in your app, follow these steps:

1. Import the azidentity package.
2. Create an instance of DefaultAzureCredential type.
3. Pass the instance of DefaultAzureCredential type to the Azure SDK client constructor.

The following code segment shows an example.

import (
	"context"

	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
)

const (
	account       = "https://<replace_with_your_storage_account_name>.blob.core.windows.net/"
	containerName = "sample-container"
	blobName      = "sample-blob"
	sampleFile    = "path/to/sample/file"
)

func main() {
    // create a credential
    cred, err := azidentity.NewDefaultAzureCredential(nil)
    if err != nil {
      // TODO: handle error
    }
    
    // create a client for the specified storage account
    client, err := azblob.NewClient(account, cred, nil)
    if err != nil {
      // TODO: handle error
    }
    
    // TODO: perform some action with the azblob Client
    // _, err = client.DownloadFile(context.TODO(), <containerName>, <blobName>, <target_file>, <DownloadFileOptions>)
}

When the code instantiates DefaultAzureCredential, it reads the environment variables AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET to retrieve the application service principal information needed to connect to Azure.