Azure Identity 202 - Environment Variables

2021-08-31

"Azure Identity 202"

Azure Identity is a library that abstracts away all of the Azure authentication complexities so you can focus on building your solutions.

In Azure Identity 101, I introduced DefaultAzureCredential, which is a chain of credential types that will try a slew of local development credentials, like Azure CLI, and a slew of production credential types like Managed Identity.

The one-liner to get started with DefaultAzureCredential looks like this:

var client = new SecretClient(vaultUri, new DefaultAzureCredential());

In Azure Identity 201, I brought you through the various options available to you when using DefaultAzureCredential. For example, to use a specific user-assigned Managed Identity client Id you’d use the following code.

var client = new SecretClient(vaultUri,
    new DefaultAzureCredential(
        new DefaultAzureCredentialOptions &#123; ManagedIdentityClientId = clientId &#125;
    )
);

In this Azure Identity 202 post, we’ll go through all of the environment variables available to you when using Azure Identity. Using environment variables allows you to easily change the option values without having to change code.

The order of precedence for how Azure Identity reads the values is the following:

Property values
Environment variables

Azure Identity will first read in the property values that are set in code, if they are not set in code, it will then look for values in envrionment variables.

For example, here’s the code in the Azure Identity library that gets ManagedIdentityClientId:

public string ManagedIdentityClientId &#123; get; set; &#125; = GetNonEmptyStringOrNull(EnvironmentVariables.ClientId);

Source: DefaultAzureCredentialOptions.cs

You are also free to configure your own environment variables with your own names - but, you shouldn’t have to (unless dictated by your company’s security policies).

Azure Identity Environment Variables

Azure Identity allows you to set properties via default environment variables. We have standardized on the AZURE_ prefix for environment names (when possible). For example, to set ManagedIdentityClientId via environment variables, just set AZURE_CLIENT_ID and Azure Identity will set it.

You can view all of the current environment variables by going directly to the source: EnvironmentVariables.cs

DefaultAzureCredentialOptions Environment Variables

DefaultAzureCredential will, by default, populate the following properties for DefaultAzureCredentialOptions from environment variables:

Property	Environment Variable
`InteractiveBrowserTenantId`	`AZURE_TENANT_ID`
`SharedTokenCacheTenantId`	`AZURE_TENANT_ID`
`VisualStudioTenantId`	`AZURE_TENANT_ID`
`VisualStudioCodeTenantId`	`AZURE_TENANT_ID`
`SharedTokenCacheUsername`	`AZURE_USERNAME`
`ManagedIdentityClientId`	`AZURE_CLIENT_ID`
`AuthorityHost`	`AZURE_AUTHORITY_HOST`

EnvironmentCredential Environment Variables

EnvironmentCredential is the first credential type that DefaultAzureCredential will attempt to get a token from. The following environment variables will also be inspected when you use DefaultAzureCredential.

EnvironmentCredential is comprised of 3 credential types: ClientSecretCredential, UsernamePasswordCredential, and ClientCertificateCredential.

This is what the chain looks like:

DefaultAzureCredential
- EnvironmentCredential
  - ClientSecretCredential
    
    Property Environment Variable
    
    ClientId AZURE_CLIENT_ID
    
    TenantId AZURE_TENANT_ID
    
    ClientSecret AZURE_CLIENT_SECRET
  - UsernamePasswordCredential
    
    Property Environment Variable
    
    Username AZURE_USERNAME
    
    Password AZURE_PASSWORD
    
    ClientId AZURE_CLIENT_ID
    
    TenantId AZURE_TENANT_ID
  - ClientCertificateCredential
    
    Property Environment Variable
    
    ClientId AZURE_CLIENT_ID
    
    TenantId AZURE_TENANT_ID
    
    ClientCertificatePath AZURE_CLIENT_CERTIFICATE_PATH

Property	Environment Variable
`ClientId`	`AZURE_CLIENT_ID`
`TenantId`	`AZURE_TENANT_ID`
`ClientSecret`	`AZURE_CLIENT_SECRET`

Property	Environment Variable
`Username`	`AZURE_USERNAME`
`Password`	`AZURE_PASSWORD`
`ClientId`	`AZURE_CLIENT_ID`
`TenantId`	`AZURE_TENANT_ID`

Property	Environment Variable
`ClientId`	`AZURE_CLIENT_ID`
`TenantId`	`AZURE_TENANT_ID`
`ClientCertificatePath`	`AZURE_CLIENT_CERTIFICATE_PATH`

Managed Identity Environment Variables

You can set the client Id to be used by ManagedIdentityCredential via the AZURE_CLIENT_ID environment variable.

You can also set the following Managed Identity environment variables. You can find more info about these standard variables here: How to use managed identities for App Service and Azure Functions

Environment Variable	Property
`AZURE_CLIENT_ID`	`DefaultAzureCredentialOptions.ManagedIdentityClientId`
`IDENTITY_ENDPOINT`	`AppServiceV2019ManagedIdentitySource` `AzureArcManagedIdentitySource` `ServiceFabricManagedIdentitySource`
`IDENTITY_HEADER`	`AppServiceV2019ManagedIdentitySource` `ServiceFabricManagedIdentitySource`
`MSI_ENDPOINT`	`AppServiceV2017ManagedIdentitySource` `CloudShellManagedIdentitySource`
`MSI_SECRET`	`AppServiceV2017ManagedIdentitySource`
`IMDS_ENDPOINT`	`AzureArcManagedIdentitySource`
`IDENTITY_SERVER_THUMBPRINT`	`ServiceFabricManagedIdentitySource`
`AZURE_POD_IDENTITY_AUTHORITY_HOST`	`ImdsManagedIdentitySource`

By Environment Variable Name

Here’s a complete list of all the Environment variables that Azure Identity uses.

Environment Variable	Property	Default Value
`AZURE_USERNAME`	`DefaultAzureCredentialOptions.SharedTokenCacheUsername` `EnvironmentCredential.UsernamePasswordCredential.Username`
`AZURE_PASSWORD`	`EnvironmentCredential.UsernamePasswordCredential.Password`
`AZURE_TENANT_ID`	`DefaultAzureCredentialOptions.InteractiveBrowserTenantId` `DefaultAzureCredentialOptions.SharedTokenCacheTenantId` `DefaultAzureCredentialOptions.VisualStudioTenantId` `DefaultAzureCredentialOptions.VisualStudioCodeTenantId` `EnvironmentCredential.ClientSecretCredential.TenantId` `EnvironmentCredential.UsernamePasswordCredential.TenantId` `EnvironmentCredential.ClientCertificateCredential.TenantId`
`AZURE_CLIENT_ID`	`AzureApplicationCredentialOptions.ManagedIdentityClientId` `DefaultAzureCredentialOptions.ManagedIdentityClientId` `EnvironmentCredential.ClientSecretCredential.ClientId` `EnvironmentCredential.UsernamePasswordCredential.ClientId` `EnvironmentCredential.ClientCertificateCredential.ClientId`
`AZURE_CLIENT_SECRET`	`EnvironmentCredential.ClientSecretCredential.ClientSecret`
`AZURE_CLIENT_CERTIFICATE_PATH`	`EnvironmentCredential.ClientCertificateCredential.ClientCertificatePath`
`IDENTITY_ENDPOINT`	`AppServiceV2019ManagedIdentitySource` `AzureArcManagedIdentitySource` `ServiceFabricManagedIdentitySource`
`IDENTITY_HEADER`	`AppServiceV2019ManagedIdentitySource` `ServiceFabricManagedIdentitySource`
`MSI_ENDPOINT`	`AppServiceV2017ManagedIdentitySource` `CloudShellManagedIdentitySource`
`MSI_SECRET`	`AppServiceV2017ManagedIdentitySource`
`IMDS_ENDPOINT`	`AzureArcManagedIdentitySource`
`IDENTITY_SERVER_THUMBPRINT`	`ServiceFabricManagedIdentitySource`
`AZURE_POD_IDENTITY_AUTHORITY_HOST`	`ImdsManagedIdentitySource`
`AZURE_AUTHORITY_HOST`	All OAuth credential types	https://login.microsoftonline.com/
`AZURE_REGIONAL_AUTHORITY_NAME`	`ClientCertificateCredentialOptions.RegionalAuthority` `ClientSecretCredentialOptions.RegionalAuthority`

Azure Identity Series

This post is part of the Azure Identity blog post series:

Azure Identity 101 - DefaultAzureCredential
Azure Identity 201 - DefaultAzureCredential Options
Azure Identity 202 - Environment Variables
Azure Identity 301 - ChainedTokenCredential

TechTips