Azure Identity 202 - Environment Variables

"Azure Identity 202"

Azure Identity is a library that abstracts away all of the Azure authentication complexities so you can focus on building your solutions.

In Azure Identity 101, I introduced DefaultAzureCredential, which is a chain of credential types that will try a slew of local development credentials, like Azure CLI, and a slew of production credential types like Managed Identity.

The one-liner to get started with DefaultAzureCredential looks like this:

var client = new SecretClient(vaultUri, new DefaultAzureCredential());

In Azure Identity 201, I brought you through the various options available to you when using DefaultAzureCredential. For example, to use a specific user-assigned Managed Identity client Id you’d use the following code.

var client = new SecretClient(vaultUri,
    new DefaultAzureCredential(
        new DefaultAzureCredentialOptions { ManagedIdentityClientId = clientId }
    )
);

In this Azure Identity 202 post, we’ll go through all of the environment variables available to you when using Azure Identity. Using environment variables allows you to easily change the option values without having to change code.

The order of precedence for how Azure Identity reads the values is the following:

Property values
Environment variables

Azure Identity will first read in the property values that are set in code, if they are not set in code, it will then look for values in envrionment variables.

For example, here’s the code in the Azure Identity library that gets ManagedIdentityClientId:

public string ManagedIdentityClientId { get; set; } = GetNonEmptyStringOrNull(EnvironmentVariables.ClientId);

Source: DefaultAzureCredentialOptions.cs

You are also free to configure your own environment variables with your own names - but, you shouldn’t have to (unless dictated by your company’s security policies).

Azure Identity Environment Variables

Azure Identity allows you to set properties via default environment variables. We have standardized on the AZURE_ prefix for environment names (when possible). For example, to set ManagedIdentityClientId via environment variables, just set AZURE_CLIENT_ID and Azure Identity will set it.

You can view all of the current environment variables by going directly to the source: EnvironmentVariables.cs

DefaultAzureCredentialOptions Environment Variables

DefaultAzureCredential will, by default, populate the following properties for DefaultAzureCredentialOptions from environment variables:

Property Environment Variable InteractiveBrowserTenantId AZURE_TENANT_ID SharedTokenCacheTenantId AZURE_TENANT_ID VisualStudioTenantId AZURE_TENANT_ID VisualStudioCodeTenantId AZURE_TENANT_ID SharedTokenCacheUsername AZURE_USERNAME ManagedIdentityClientId AZURE_CLIENT_ID AuthorityHost AZURE_AUTHORITY_HOST

EnvironmentCredential Environment Variables

EnvironmentCredential is the first credential type that DefaultAzureCredential will attempt to get a token from. The following environment variables will also be inspected when you use DefaultAzureCredential.

EnvironmentCredential is comprised of 3 credential types: ClientSecretCredential, UsernamePasswordCredential, and ClientCertificateCredential.

This is what the chain looks like:

DefaultAzureCredential
- EnvironmentCredential
  - ClientSecretCredential
    Property Environment Variable ClientId AZURE_CLIENT_ID TenantId AZURE_TENANT_ID ClientSecret AZURE_CLIENT_SECRET
  - UsernamePasswordCredential
    Property Environment Variable Username AZURE_USERNAME Password AZURE_PASSWORD ClientId AZURE_CLIENT_ID TenantId AZURE_TENANT_ID
  - ClientCertificateCredential
    Property Environment Variable ClientId AZURE_CLIENT_ID TenantId AZURE_TENANT_ID ClientCertificatePath AZURE_CLIENT_CERTIFICATE_PATH

Managed Identity Environment Variables

You can set the client Id to be used by ManagedIdentityCredential via the AZURE_CLIENT_ID environment variable.

You can also set the following Managed Identity environment variables. You can find more info about these standard variables here: How to use managed identities for App Service and Azure Functions

Environment Variable Property AZURE_CLIENT_ID DefaultAzureCredentialOptions.ManagedIdentityClientId IDENTITY_ENDPOINT AppServiceV2019ManagedIdentitySource
AzureArcManagedIdentitySource
ServiceFabricManagedIdentitySource IDENTITY_HEADER AppServiceV2019ManagedIdentitySource
ServiceFabricManagedIdentitySource MSI_ENDPOINT AppServiceV2017ManagedIdentitySource
CloudShellManagedIdentitySource MSI_SECRET AppServiceV2017ManagedIdentitySource IMDS_ENDPOINT AzureArcManagedIdentitySource IDENTITY_SERVER_THUMBPRINT ServiceFabricManagedIdentitySource AZURE_POD_IDENTITY_AUTHORITY_HOST ImdsManagedIdentitySource

By Environment Variable Name

Here’s a complete list of all the Environment variables that Azure Identity uses.

Environment Variable Property Default Value AZURE_USERNAME DefaultAzureCredentialOptions.SharedTokenCacheUsername
EnvironmentCredential.UsernamePasswordCredential.Username

AZURE_PASSWORD EnvironmentCredential.UsernamePasswordCredential.Password

AZURE_TENANT_ID DefaultAzureCredentialOptions.InteractiveBrowserTenantId
DefaultAzureCredentialOptions.SharedTokenCacheTenantId
DefaultAzureCredentialOptions.VisualStudioTenantId
DefaultAzureCredentialOptions.VisualStudioCodeTenantId
EnvironmentCredential.ClientSecretCredential.TenantId
EnvironmentCredential.UsernamePasswordCredential.TenantId
EnvironmentCredential.ClientCertificateCredential.TenantId

AZURE_CLIENT_ID AzureApplicationCredentialOptions.ManagedIdentityClientId
DefaultAzureCredentialOptions.ManagedIdentityClientId
EnvironmentCredential.ClientSecretCredential.ClientId
EnvironmentCredential.UsernamePasswordCredential.ClientId
EnvironmentCredential.ClientCertificateCredential.ClientId

AZURE_CLIENT_SECRET EnvironmentCredential.ClientSecretCredential.ClientSecret

AZURE_CLIENT_CERTIFICATE_PATH EnvironmentCredential.ClientCertificateCredential.ClientCertificatePath

IDENTITY_ENDPOINT AppServiceV2019ManagedIdentitySource
AzureArcManagedIdentitySource
ServiceFabricManagedIdentitySource

IDENTITY_HEADER AppServiceV2019ManagedIdentitySource
ServiceFabricManagedIdentitySource

MSI_ENDPOINT AppServiceV2017ManagedIdentitySource
CloudShellManagedIdentitySource

MSI_SECRET AppServiceV2017ManagedIdentitySource

IMDS_ENDPOINT AzureArcManagedIdentitySource

IDENTITY_SERVER_THUMBPRINT ServiceFabricManagedIdentitySource

AZURE_POD_IDENTITY_AUTHORITY_HOST ImdsManagedIdentitySource

AZURE_AUTHORITY_HOST All OAuth credential types https://login.microsoftonline.com/ AZURE_REGIONAL_AUTHORITY_NAME ClientCertificateCredentialOptions.RegionalAuthority
ClientSecretCredentialOptions.RegionalAuthority

I hoped this help you on your Azure solution building journey.

Please leave a comment or contact me if you get stuck or have any feedback.

Thanks,
Jon

Azure Identity 202 - Environment Variables

Azure Identity 202 - Environment Variables

Azure Identity Environment Variables

DefaultAzureCredentialOptions Environment Variables

EnvironmentCredential Environment Variables

Managed Identity Environment Variables

By Environment Variable Name

Recommend

Webinar: Let’s Talk About You and GoLand

GitHub - mykolav/coollang-2020-fs: Cool 2020 compiler implemented in F#

How We Balance Staffing Decisions When Developing a New Product

My thoughts about Azure Applied AI

Conflict Management Strategies For Hybrid Teams

From MVC to Minimal APIs with ASP.NET Core 6.0

AAS Journals Will Switch to Open Access

Mozilla VPN Completes Independent Security Audit by Cure53

Linux on the Framework Laptop

科大讯飞发布讯飞智能办公本T2

About Joyk