Azure Identity 202 - Environment Variables

"Azure Identity 202"

Azure Identity is a library that abstracts away all of the Azure authentication complexities so you can focus on building your solutions.

In Azure Identity 101, I introduced DefaultAzureCredential, which is a chain of credential types that will try a slew of local development credentials, like Azure CLI, and a slew of production credential types like Managed Identity.

The one-liner to get started with DefaultAzureCredential looks like this:

var client = new SecretClient(vaultUri, new DefaultAzureCredential());

In Azure Identity 201, I brought you through the various options available to you when using DefaultAzureCredential. For example, to use a specific user-assigned Managed Identity client Id you’d use the following code.

var client = new SecretClient(vaultUri,
    new DefaultAzureCredential(
        new DefaultAzureCredentialOptions { ManagedIdentityClientId = clientId }
    )
);

In this Azure Identity 202 post, we’ll go through all of the environment variables available to you when using Azure Identity. Using environment variables allows you to easily change the option values without having to change code.

The order of precedence for how Azure Identity reads the values is the following:

  1. Property values
  2. Environment variables

Azure Identity will first read in the property values that are set in code, if they are not set in code, it will then look for values in envrionment variables.

For example, here’s the code in the Azure Identity library that gets ManagedIdentityClientId:

public string ManagedIdentityClientId { get; set; } = GetNonEmptyStringOrNull(EnvironmentVariables.ClientId);

Source: DefaultAzureCredentialOptions.cs

You are also free to configure your own environment variables with your own names - but, you shouldn’t have to (unless dictated by your company’s security policies).

Azure Identity Environment Variables

Azure Identity allows you to set properties via default environment variables. We have standardized on the AZURE_ prefix for environment names (when possible). For example, to set ManagedIdentityClientId via environment variables, just set AZURE_CLIENT_ID and Azure Identity will set it.

You can view all of the current environment variables by going directly to the source: EnvironmentVariables.cs

DefaultAzureCredentialOptions Environment Variables

DefaultAzureCredential will, by default, populate the following properties for DefaultAzureCredentialOptions from environment variables:

Property Environment Variable
InteractiveBrowserTenantId AZURE_TENANT_ID
SharedTokenCacheTenantId AZURE_TENANT_ID
VisualStudioTenantId AZURE_TENANT_ID
VisualStudioCodeTenantId AZURE_TENANT_ID
SharedTokenCacheUsername AZURE_USERNAME
ManagedIdentityClientId AZURE_CLIENT_ID
AuthorityHost AZURE_AUTHORITY_HOST

EnvironmentCredential Environment Variables

EnvironmentCredential is the first credential type that DefaultAzureCredential will attempt to get a token from. The following environment variables will also be inspected when you use DefaultAzureCredential.

EnvironmentCredential is comprised of 3 credential types: ClientSecretCredential, UsernamePasswordCredential, and ClientCertificateCredential.

This is what the chain looks like:

  • DefaultAzureCredential
    • EnvironmentCredential
      • ClientSecretCredential

        Property Environment Variable
        ClientId AZURE_CLIENT_ID
        TenantId AZURE_TENANT_ID
        ClientSecret AZURE_CLIENT_SECRET
      • UsernamePasswordCredential

        Property Environment Variable
        Username AZURE_USERNAME
        Password AZURE_PASSWORD
        ClientId AZURE_CLIENT_ID
        TenantId AZURE_TENANT_ID
      • ClientCertificateCredential

        Property Environment Variable
        ClientId AZURE_CLIENT_ID
        TenantId AZURE_TENANT_ID
        ClientCertificatePath AZURE_CLIENT_CERTIFICATE_PATH

Managed Identity Environment Variables

You can set the client Id to be used by ManagedIdentityCredential via the AZURE_CLIENT_ID environment variable.

You can also set the following Managed Identity environment variables. You can find more info about these standard variables here: How to use managed identities for App Service and Azure Functions

Environment Variable Property
AZURE_CLIENT_ID DefaultAzureCredentialOptions.ManagedIdentityClientId
IDENTITY_ENDPOINT AppServiceV2019ManagedIdentitySource
AzureArcManagedIdentitySource
ServiceFabricManagedIdentitySource
IDENTITY_HEADER AppServiceV2019ManagedIdentitySource
ServiceFabricManagedIdentitySource
MSI_ENDPOINT AppServiceV2017ManagedIdentitySource
CloudShellManagedIdentitySource
MSI_SECRET AppServiceV2017ManagedIdentitySource
IMDS_ENDPOINT AzureArcManagedIdentitySource
IDENTITY_SERVER_THUMBPRINT ServiceFabricManagedIdentitySource
AZURE_POD_IDENTITY_AUTHORITY_HOST ImdsManagedIdentitySource

By Environment Variable Name

Here’s a complete list of all the Environment variables that Azure Identity uses.

Environment Variable Property Default Value
AZURE_USERNAME DefaultAzureCredentialOptions.SharedTokenCacheUsername
EnvironmentCredential.UsernamePasswordCredential.Username
AZURE_PASSWORD EnvironmentCredential.UsernamePasswordCredential.Password
AZURE_TENANT_ID DefaultAzureCredentialOptions.InteractiveBrowserTenantId
DefaultAzureCredentialOptions.SharedTokenCacheTenantId
DefaultAzureCredentialOptions.VisualStudioTenantId
DefaultAzureCredentialOptions.VisualStudioCodeTenantId
EnvironmentCredential.ClientSecretCredential.TenantId
EnvironmentCredential.UsernamePasswordCredential.TenantId
EnvironmentCredential.ClientCertificateCredential.TenantId
AZURE_CLIENT_ID AzureApplicationCredentialOptions.ManagedIdentityClientId
DefaultAzureCredentialOptions.ManagedIdentityClientId
EnvironmentCredential.ClientSecretCredential.ClientId
EnvironmentCredential.UsernamePasswordCredential.ClientId
EnvironmentCredential.ClientCertificateCredential.ClientId
AZURE_CLIENT_SECRET EnvironmentCredential.ClientSecretCredential.ClientSecret
AZURE_CLIENT_CERTIFICATE_PATH EnvironmentCredential.ClientCertificateCredential.ClientCertificatePath
IDENTITY_ENDPOINT AppServiceV2019ManagedIdentitySource
AzureArcManagedIdentitySource
ServiceFabricManagedIdentitySource
IDENTITY_HEADER AppServiceV2019ManagedIdentitySource
ServiceFabricManagedIdentitySource
MSI_ENDPOINT AppServiceV2017ManagedIdentitySource
CloudShellManagedIdentitySource
MSI_SECRET AppServiceV2017ManagedIdentitySource
IMDS_ENDPOINT AzureArcManagedIdentitySource
IDENTITY_SERVER_THUMBPRINT ServiceFabricManagedIdentitySource
AZURE_POD_IDENTITY_AUTHORITY_HOST ImdsManagedIdentitySource
AZURE_AUTHORITY_HOST All OAuth credential types https://login.microsoftonline.com/
AZURE_REGIONAL_AUTHORITY_NAME ClientCertificateCredentialOptions.RegionalAuthority
ClientSecretCredentialOptions.RegionalAuthority

I hoped this help you on your Azure solution building journey.

Please leave a comment or contact me if you get stuck or have any feedback.

Thanks,
Jon