Jon Gallant - Azure Identity 202 - Environment Variables

"Azure Identity 202"

Azure Identity is a library that abstracts away all of the Azure authentication complexities so you can focus on building your solutions.

In Azure Identity 101, I introduced DefaultAzureCredential, which is a chain of credential types that will try a slew of local development credentials, like Azure CLI, and a slew of production credential types like Managed Identity.

The one-liner to get started with DefaultAzureCredential looks like this:

var client = new SecretClient(vaultUri, new DefaultAzureCredential());

```text

In [Azure Identity 201](/azure-identity-201), I brought you through the various options available to you when using `DefaultAzureCredential`. For example, to use a specific user-assigned Managed Identity client Id you’d use the following code.

```csharp

var client = new SecretClient(vaultUri,
    new DefaultAzureCredential(
        new DefaultAzureCredentialOptions { ManagedIdentityClientId = clientId }
    )
);

```csharp

In this Azure Identity 202 post, we’ll go through all of the environment variables available to you when using Azure Identity. Using environment variables allows you to easily change the option values without having to change code.

The order of precedence for how Azure Identity reads the values is the following:

1. Property values
2. Environment variables

Azure Identity will first read in the property values that are set in code, if they are not set in code, it will then look for values in envrionment variables.

For example, here’s the code in the Azure Identity library that gets `ManagedIdentityClientId`:

```csharp

public string ManagedIdentityClientId { get; set; } = GetNonEmptyStringOrNull(EnvironmentVariables.ClientId);

Source: DefaultAzureCredentialOptions.cs

You are also free to configure your own environment variables with your own names - but, you shouldn’t have to (unless dictated by your company’s security policies).

Azure Identity Environment Variables

Azure Identity allows you to set properties via default environment variables. We have standardized on the AZURE_ prefix for environment names (when possible). For example, to set ManagedIdentityClientId via environment variables, just set AZURE_CLIENT_ID and Azure Identity will set it.

You can view all of the current environment variables by going directly to the source: EnvironmentVariables.cs

DefaultAzureCredentialOptions Environment Variables

DefaultAzureCredential will, by default, populate the following properties for DefaultAzureCredentialOptions from environment variables:

Property

Environment Variable

InteractiveBrowserTenantId

AZURE_TENANT_ID

SharedTokenCacheTenantId

AZURE_TENANT_ID

VisualStudioTenantId

AZURE_TENANT_ID

VisualStudioCodeTenantId

AZURE_TENANT_ID

SharedTokenCacheUsername

AZURE_USERNAME

ManagedIdentityClientId

AZURE_CLIENT_ID

AuthorityHost

AZURE_AUTHORITY_HOST

EnvironmentCredential Environment Variables

EnvironmentCredential is the first credential type that DefaultAzureCredential will attempt to get a token from. The following environment variables will also be inspected when you use DefaultAzureCredential.

EnvironmentCredential is comprised of 3 credential types: ClientSecretCredential, UsernamePasswordCredential, and ClientCertificateCredential.

This is what the chain looks like:

DefaultAzureCredential
- EnvironmentCredential
  - ClientSecretCredential
    
    Property
    
    Environment Variable
    
    ClientId
    
    AZURE_CLIENT_ID
    
    TenantId
    
    AZURE_TENANT_ID
    
    ClientSecret
    
    AZURE_CLIENT_SECRET
  - UsernamePasswordCredential
    
    Property
    
    Environment Variable
    
    Username
    
    AZURE_USERNAME
    
    Password
    
    AZURE_PASSWORD
    
    ClientId
    
    AZURE_CLIENT_ID
    
    TenantId
    
    AZURE_TENANT_ID
  - ClientCertificateCredential
    
    Property
    
    Environment Variable
    
    ClientId
    
    AZURE_CLIENT_ID
    
    TenantId
    
    AZURE_TENANT_ID
    
    ClientCertificatePath
    
    AZURE_CLIENT_CERTIFICATE_PATH

Managed Identity Environment Variables

You can set the client Id to be used by ManagedIdentityCredential via the AZURE_CLIENT_ID environment variable.

You can also set the following Managed Identity environment variables. You can find more info about these standard variables here: How to use managed identities for App Service and Azure Functions

Environment Variable

Property

AZURE_CLIENT_ID

DefaultAzureCredentialOptions.ManagedIdentityClientId

IDENTITY_ENDPOINT

AppServiceV2019ManagedIdentitySource AzureArcManagedIdentitySource ServiceFabricManagedIdentitySource

IDENTITY_HEADER

AppServiceV2019ManagedIdentitySource ServiceFabricManagedIdentitySource

MSI_ENDPOINT

AppServiceV2017ManagedIdentitySource CloudShellManagedIdentitySource

MSI_SECRET

AppServiceV2017ManagedIdentitySource

IMDS_ENDPOINT

AzureArcManagedIdentitySource

IDENTITY_SERVER_THUMBPRINT

ServiceFabricManagedIdentitySource

AZURE_POD_IDENTITY_AUTHORITY_HOST

ImdsManagedIdentitySource

By Environment Variable Name

Here’s a complete list of all the Environment variables that Azure Identity uses.

Environment Variable

Property

Default Value

AZURE_USERNAME

DefaultAzureCredentialOptions.SharedTokenCacheUsername EnvironmentCredential.UsernamePasswordCredential.Username

AZURE_PASSWORD

EnvironmentCredential.UsernamePasswordCredential.Password

AZURE_TENANT_ID

DefaultAzureCredentialOptions.InteractiveBrowserTenantId DefaultAzureCredentialOptions.SharedTokenCacheTenantId DefaultAzureCredentialOptions.VisualStudioTenantId DefaultAzureCredentialOptions.VisualStudioCodeTenantId EnvironmentCredential.ClientSecretCredential.TenantId EnvironmentCredential.UsernamePasswordCredential.TenantId EnvironmentCredential.ClientCertificateCredential.TenantId

AZURE_CLIENT_ID

AzureApplicationCredentialOptions.ManagedIdentityClientId DefaultAzureCredentialOptions.ManagedIdentityClientId EnvironmentCredential.ClientSecretCredential.ClientId EnvironmentCredential.UsernamePasswordCredential.ClientId EnvironmentCredential.ClientCertificateCredential.ClientId

AZURE_CLIENT_SECRET

EnvironmentCredential.ClientSecretCredential.ClientSecret

AZURE_CLIENT_CERTIFICATE_PATH

EnvironmentCredential.ClientCertificateCredential.ClientCertificatePath

IDENTITY_ENDPOINT

AppServiceV2019ManagedIdentitySource AzureArcManagedIdentitySource ServiceFabricManagedIdentitySource

IDENTITY_HEADER

AppServiceV2019ManagedIdentitySource ServiceFabricManagedIdentitySource

MSI_ENDPOINT

AppServiceV2017ManagedIdentitySource CloudShellManagedIdentitySource

MSI_SECRET

AppServiceV2017ManagedIdentitySource

IMDS_ENDPOINT

AzureArcManagedIdentitySource

IDENTITY_SERVER_THUMBPRINT

ServiceFabricManagedIdentitySource

AZURE_POD_IDENTITY_AUTHORITY_HOST

ImdsManagedIdentitySource

AZURE_AUTHORITY_HOST

All OAuth credential types

https://login.microsoftonline.com/

AZURE_REGIONAL_AUTHORITY_NAME

ClientCertificateCredentialOptions.RegionalAuthority ClientSecretCredentialOptions.RegionalAuthority

Azure Identity Series

This post is part of the Azure Identity blog post series:

Azure Identity 101 - DefaultAzureCredential Azure Identity 201 - DefaultAzureCredential Options Azure Identity 202 - Environment Variables Azure Identity 301 - ChainedTokenCredential

Azure Identity Environment Variables

DefaultAzureCredentialOptions Environment Variables

EnvironmentCredential Environment Variables

Managed Identity Environment Variables

By Environment Variable Name

Azure Identity Series

Share on LinkedIn