Azure Identity 202 - Environment Variables
source link: https://blog.jongallant.com/2021/08/azure-identity-202/?utm_campaign=Feed%3A+jongallant+%28Jon+Gallant%29
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Azure Identity 202 - Environment Variables
"Azure Identity 202"
Azure Identity is a library that abstracts away all of the Azure authentication complexities so you can focus on building your solutions.
In Azure Identity 101, I introduced DefaultAzureCredential
, which is a chain of credential types that will try a slew of local development credentials, like Azure CLI, and a slew of production credential types like Managed Identity.
The one-liner to get started with DefaultAzureCredential
looks like this:
var client = new SecretClient(vaultUri, new DefaultAzureCredential());
In Azure Identity 201, I brought you through the various options available to you when using DefaultAzureCredential
. For example, to use a specific user-assigned Managed Identity client Id you’d use the following code.
var client = new SecretClient(vaultUri,
new DefaultAzureCredential(
new DefaultAzureCredentialOptions { ManagedIdentityClientId = clientId }
)
);
In this Azure Identity 202 post, we’ll go through all of the environment variables available to you when using Azure Identity. Using environment variables allows you to easily change the option values without having to change code.
The order of precedence for how Azure Identity reads the values is the following:
- Property values
- Environment variables
Azure Identity will first read in the property values that are set in code, if they are not set in code, it will then look for values in envrionment variables.
For example, here’s the code in the Azure Identity library that gets ManagedIdentityClientId
:
public string ManagedIdentityClientId { get; set; } = GetNonEmptyStringOrNull(EnvironmentVariables.ClientId);
Source: DefaultAzureCredentialOptions.cs
You are also free to configure your own environment variables with your own names - but, you shouldn’t have to (unless dictated by your company’s security policies).
Azure Identity Environment Variables
Azure Identity allows you to set properties via default environment variables. We have standardized on the AZURE_
prefix for environment names (when possible). For example, to set ManagedIdentityClientId
via environment variables, just set AZURE_CLIENT_ID
and Azure Identity will set it.
You can view all of the current environment variables by going directly to the source: EnvironmentVariables.cs
DefaultAzureCredentialOptions Environment Variables
DefaultAzureCredential
will, by default, populate the following properties for DefaultAzureCredentialOptions
from environment variables:
InteractiveBrowserTenantId
AZURE_TENANT_ID
SharedTokenCacheTenantId
AZURE_TENANT_ID
VisualStudioTenantId
AZURE_TENANT_ID
VisualStudioCodeTenantId
AZURE_TENANT_ID
SharedTokenCacheUsername
AZURE_USERNAME
ManagedIdentityClientId
AZURE_CLIENT_ID
AuthorityHost
AZURE_AUTHORITY_HOST
EnvironmentCredential Environment Variables
EnvironmentCredential
is the first credential type that DefaultAzureCredential
will attempt to get a token from. The following environment variables will also be inspected when you use DefaultAzureCredential
.
EnvironmentCredential
is comprised of 3 credential types: ClientSecretCredential
, UsernamePasswordCredential
, and ClientCertificateCredential
.
This is what the chain looks like:
DefaultAzureCredential
EnvironmentCredential
-
Property Environment VariableClientSecretCredential
ClientId
AZURE_CLIENT_ID
TenantId
AZURE_TENANT_ID
ClientSecret
AZURE_CLIENT_SECRET
-
Property Environment VariableUsernamePasswordCredential
Username
AZURE_USERNAME
Password
AZURE_PASSWORD
ClientId
AZURE_CLIENT_ID
TenantId
AZURE_TENANT_ID
-
Property Environment VariableClientCertificateCredential
ClientId
AZURE_CLIENT_ID
TenantId
AZURE_TENANT_ID
ClientCertificatePath
AZURE_CLIENT_CERTIFICATE_PATH
-
Managed Identity Environment Variables
You can set the client Id to be used by ManagedIdentityCredential
via the AZURE_CLIENT_ID
environment variable.
You can also set the following Managed Identity environment variables. You can find more info about these standard variables here: How to use managed identities for App Service and Azure Functions
Environment Variable PropertyAZURE_CLIENT_ID
DefaultAzureCredentialOptions.ManagedIdentityClientId
IDENTITY_ENDPOINT
AppServiceV2019ManagedIdentitySource
AzureArcManagedIdentitySource
ServiceFabricManagedIdentitySource
IDENTITY_HEADER
AppServiceV2019ManagedIdentitySource
ServiceFabricManagedIdentitySource
MSI_ENDPOINT
AppServiceV2017ManagedIdentitySource
CloudShellManagedIdentitySource
MSI_SECRET
AppServiceV2017ManagedIdentitySource
IMDS_ENDPOINT
AzureArcManagedIdentitySource
IDENTITY_SERVER_THUMBPRINT
ServiceFabricManagedIdentitySource
AZURE_POD_IDENTITY_AUTHORITY_HOST
ImdsManagedIdentitySource
By Environment Variable Name
Here’s a complete list of all the Environment variables that Azure Identity uses.
Environment Variable
Property
Default Value
AZURE_USERNAME
DefaultAzureCredentialOptions.SharedTokenCacheUsername
EnvironmentCredential.UsernamePasswordCredential.Username
AZURE_PASSWORD
EnvironmentCredential.UsernamePasswordCredential.Password
AZURE_TENANT_ID
DefaultAzureCredentialOptions.InteractiveBrowserTenantId
DefaultAzureCredentialOptions.SharedTokenCacheTenantId
DefaultAzureCredentialOptions.VisualStudioTenantId
DefaultAzureCredentialOptions.VisualStudioCodeTenantId
EnvironmentCredential.ClientSecretCredential.TenantId
EnvironmentCredential.UsernamePasswordCredential.TenantId
EnvironmentCredential.ClientCertificateCredential.TenantId
AZURE_CLIENT_ID
AzureApplicationCredentialOptions.ManagedIdentityClientId
DefaultAzureCredentialOptions.ManagedIdentityClientId
EnvironmentCredential.ClientSecretCredential.ClientId
EnvironmentCredential.UsernamePasswordCredential.ClientId
EnvironmentCredential.ClientCertificateCredential.ClientId
AZURE_CLIENT_SECRET
EnvironmentCredential.ClientSecretCredential.ClientSecret
AZURE_CLIENT_CERTIFICATE_PATH
EnvironmentCredential.ClientCertificateCredential.ClientCertificatePath
IDENTITY_ENDPOINT
AppServiceV2019ManagedIdentitySource
AzureArcManagedIdentitySource
ServiceFabricManagedIdentitySource
IDENTITY_HEADER
AppServiceV2019ManagedIdentitySource
ServiceFabricManagedIdentitySource
MSI_ENDPOINT
AppServiceV2017ManagedIdentitySource
CloudShellManagedIdentitySource
MSI_SECRET
AppServiceV2017ManagedIdentitySource
IMDS_ENDPOINT
AzureArcManagedIdentitySource
IDENTITY_SERVER_THUMBPRINT
ServiceFabricManagedIdentitySource
AZURE_POD_IDENTITY_AUTHORITY_HOST
ImdsManagedIdentitySource
AZURE_AUTHORITY_HOST
All OAuth credential types
https://login.microsoftonline.com/
AZURE_REGIONAL_AUTHORITY_NAME
ClientCertificateCredentialOptions.RegionalAuthority
ClientSecretCredentialOptions.RegionalAuthority
I hoped this help you on your Azure solution building journey.
Please leave a comment or contact me if you get stuck or have any feedback.
Thanks,
Jon
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK