Azure authentication with the Azure Identity module for Go
In this tutorial, the DefaultAzureCredential type from the Azure Identity module for Go is used to authenticate to Azure. The Azure Identity module offers several credential types that focus on OAuth with Microsoft Entra ID.
DefaultAzureCredential simplifies authentication by combining commonly used credential types. It chains credential types used to authenticate Azure-deployed applications with credential types used to authenticate in a development environment.
Prerequisites
- Azure subscription: If you don't have an Azure subscription, create a free account before you begin.
- Go installed: Version 1.18 or above
1. Install the Azure Identity module for Go
Run the following command to download the azidentity module:
go get -u github.com/Azure/azure-sdk-for-go/sdk/azidentity
2. Authenticate with Azure
Use DefaultAzureCredential to authenticate to Azure with one of the following techniques:
- Option 1: Define environment variables
- Option 2: Use workload identity
- Option 3: Use a managed identity
- Option 4: Sign in with Azure CLI
- Option 5: Sign in with Azure Developer CLI
To learn more about the different credential types, see credential types.
Option 1: Define environment variables
The DefaultAzureCredential uses the EnvironmentCredential type to configure authentication using environment variables that supports three authentication types. Choose from the following authentication types and define the appropriate environment variables.
Service principal with a secret
| Variable name | Value |
|---|---|
AZURE_CLIENT_ID |
Application ID of an Azure service principal |
AZURE_TENANT_ID |
ID of the application's Microsoft Entra tenant |
AZURE_CLIENT_SECRET |
Password of the Azure service principal |
export AZURE_TENANT_ID="<active_directory_tenant_id>"
export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_CLIENT_SECRET="<service_principal_password>"
Service principal with certificate
| Variable name | Value |
|---|---|
AZURE_CLIENT_ID |
ID of a Microsoft Entra application |
AZURE_TENANT_ID |
ID of the application's Microsoft Entra tenant |
AZURE_CLIENT_CERTIFICATE_PATH |
Path to a PEM or PKCS12 certificate file including private key |
AZURE_CLIENT_CERTIFICATE_PASSWORD |
(optional) Password for the certificate file |
export AZURE_TENANT_ID="<active_directory_tenant_id>"
export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_CLIENT_CERTIFICATE_PATH="<azure_client_certificate_path>"
Username and password
| Variable name | Value |
|---|---|
AZURE_CLIENT_ID |
ID of a Microsoft Entra application |
AZURE_USERNAME |
A username (usually an email address) |
AZURE_PASSWORD |
That user's password |
export AZURE_CLIENT_ID="<service_principal_appid>"
export AZURE_USERNAME="<azure_username>"
export AZURE_PASSWORD="<azure_user_password>"
Configuration is attempted in the preceding order. For example, if values for a client secret and certificate are both present, the client secret is used. For an end-to-end tutorial about authenticating with service principals, see Azure SDK for Go authentication with a service principal.
Option 2: Use Workload Identity
Microsoft Entra Workload ID enables pods in a Kubernetes cluster to use a Kubernetes identity (service account). A Kubernetes token is issued, and OIDC federation enables Kubernetes applications to access Azure resources securely with Microsoft Entra ID.
If the required environment variables for EnvironmentCredential aren't present, DefaultAzureCredential attempts to authenticate using WorkloadIdentityCredential. WorkloadIdentityCredential attempts to read the service principal configuration from environment variables set by the Workload Identity webhook.
Option 3: Use a managed identity
Managed identities eliminate the need for developers to manage credentials. When connecting to resources that support Microsoft Entra authentication, applications hosted in Azure can use Microsoft Entra tokens instead of credentials. Managed Identities aren't supported in local development.
If the required environment variables for WorkloadIdentityCredential aren't present, DefaultAzureCredential attempts to authenticate using ManagedIdentityCredential.
If using a user-assigned managed identity, run the following command to set the AZURE_CLIENT_ID environment variable.
export AZURE_CLIENT_ID="<user_assigned_managed_identity_client_id>"
If the AZURE_CLIENT_ID environment variable isn't set, DefaultAzureCredentials attempts to authenticate using the system-assigned managed identity if one is enabled on the hosting resource.
For an end-to-end tutorial about authenticating with managed identities in Azure-hosted apps, see Authentication with the Azure SDK for Go using a managed identity.
Option 4: Sign in with Azure CLI
To reduce friction in local development, DefaultAzureCredential can authenticate as the user signed into the Azure CLI.
Run the following command to sign into the Azure CLI:
az login
Option 5: Sign in with Azure Developer CLI
In local development, if the user isn't signed in to the Azure CLI, DefaultAzureCredential can authenticate as the user signed into the Azure Developer CLI.
Run the following command to sign into the Azure Developer CLI:
azd auth login
Azure Developer CLI authentication isn't recommended for applications running in Azure.
3. Use DefaultAzureCredential to authenticate ResourceClient
Create a new sample Go module named azure-auth to test authenticating to Azure with DefaultAzureCredential:
Create a directory to test and run the sample Go code, then change into that directory.
Run go mod init to create a module:
go mod init azure-authRun go get to download, build, and install the necessary Azure SDK for Go modules:
go get "github.com/Azure/azure-sdk-for-go/sdk/azidentity" go get "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription"Create a file named
main.goand insert the following code:package main import ( "context" "github.com/Azure/azure-sdk-for-go/sdk/azidentity" "github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/subscription/armsubscription" ) const subscriptionID = "<subscription ID>" func main() { cred, err := azidentity.NewDefaultAzureCredential(nil) if err != nil { // TODO: handle error } // Azure SDK Resource Management clients accept the credential as a parameter. // The client will authenticate with the credential as necessary. client, err := armsubscription.NewSubscriptionsClient(cred, nil) if err != nil { // TODO: handle error } _, err = client.Get(context.TODO(), subscriptionID, nil) if err != nil { // TODO: handle error } }Replace
<subscription ID>with your subscription ID.Run
go runto build and run the application:go run .Note
To run as-is on your local system, you need to sign in to Azure using the Azure CLI or Azure Developer CLI.
Authenticate to Azure with DefaultAzureCredential
Use the following code in your application to authenticate to Azure with the Azure Identity module using DefaultAzureCredential:
// This credential type checks environment variables for configuration.
cred, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
// handle error
}
// Azure Resource Management clients accept the credential as a parameter
client, err := armresources.NewClient("<subscriptionId>", cred, nil)
if err != nil {
// handle error
}
Troubleshooting
For guidance on resolving errors from specific credential types, see the troubleshooting guide.