Task 05: Configure Environment Variables
DOCUMENT CATEGORY: Runbook Step
SCOPE: CI/CD pipeline variable configuration
PURPOSE: Configure environment variables for Azure authentication
MASTER REFERENCE: See platform-specific docs below
Status: Active
Objective
Configure CI/CD pipeline environment variables for each target Azure subscription.
Prerequisites
- Environments created (Task 04)
- Bootstrap values from Task 01 (
ARM_CLIENT_ID,ARM_CLIENT_SECRET)
Variables from variables.yml
| Variable | Config Path | Example |
|---|---|---|
| Tenant ID | azure.tenant_id | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Subscription ID | azure.subscription.id | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| SPN Client ID | identity.service_principal.app_id | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| SPN Client Secret | keyvault://<vault>/automation-spn-secret | (Key Vault reference) |
Required Variables
Configure the following variables for each target Azure subscription:
| Variable | Description | Sensitivity |
|---|---|---|
ARM_TENANT_ID | Entra ID tenant ID | Masked |
ARM_SUBSCRIPTION_ID | Azure subscription ID | Masked |
ARM_CLIENT_ID | azurelocal-cicd App Registration ID (from Task 01) | Masked |
ARM_CLIENT_SECRET | azurelocal-cicd App Registration secret (from Task 01) | Secret |
Procedure
- GitHub
- GitLab
- Azure DevOps
Configure Repository Secrets
- Navigate to your repository → Settings → Secrets and variables → Actions
- Click New repository secret for each variable:
| Secret Name | Value |
|---|---|
ARM_TENANT_ID | Entra ID tenant ID |
ARM_SUBSCRIPTION_ID | Azure subscription ID |
ARM_CLIENT_ID | App Registration client ID |
ARM_CLIENT_SECRET | App Registration client secret |
Environment-Scoped Secrets (Recommended)
For multi-environment deployments, use environment-scoped secrets:
- Go to Settings → Environments → select environment (e.g.
azr-prod-us) - Under Environment secrets, click Add secret
- Add environment-specific values for
ARM_SUBSCRIPTION_ID(and others if they differ per environment)
Tip: Repository-level secrets apply to all environments. Use environment secrets to override per environment.
Configure CI/CD Variables
- Navigate to Settings → CI/CD
- Expand Variables
- Click Add variable for each required variable:
| Variable | Configuration |
|---|---|
| ARM_TENANT_ID | |
| Type | Variable |
| Environments | Select target environment |
| Flags | Masked |
| Value | Entra ID tenant ID |
| Variable | Configuration |
|---|---|
| ARM_SUBSCRIPTION_ID | |
| Type | Variable |
| Environments | Select target environment |
| Flags | Masked |
| Value | Azure subscription ID |
| Variable | Configuration |
|---|---|
| ARM_CLIENT_ID | |
| Type | Variable |
| Environments | Select target environment |
| Flags | Masked |
| Value | azurelocal-cicd App Registration ID (from Task 01) |
| Variable | Configuration |
|---|---|
| ARM_CLIENT_SECRET | |
| Type | Variable |
| Environments | Select target environment |
| Flags | Masked |
| Value | azurelocal-cicd App Registration secret (from Task 01) |
Tip: Scope variables to specific environments to support multi-subscription deployments.
Create Variable Group
- Navigate to Pipelines → Library
- Click + Variable group
- Name it:
azure-credentials-<environment>(e.g.azure-credentials-azr-prod-us) - Add variables:
| Variable | Value | Lock |
|---|---|---|
ARM_TENANT_ID | Entra ID tenant ID | 🔒 |
ARM_SUBSCRIPTION_ID | Azure subscription ID | 🔒 |
ARM_CLIENT_ID | App Registration client ID | 🔒 |
ARM_CLIENT_SECRET | App Registration client secret | 🔒 |
- Click Save
Link to Pipeline
Reference the variable group in your pipeline YAML:
variables:
- group: azure-credentials-azr-prod-us
Tip: Create separate variable groups per environment and link them using pipeline stages.
Verification
- All required variables configured per environment
- Sensitive values are masked/secret
- Variables scoped to correct environments
- Test pipeline can authenticate to Azure
Next Steps
References
- GitHub
- GitLab
- Azure DevOps
Scripts for this task are located in the azurelocal-toolkit repository under scripts/deploy/ in the appropriate task folder.
Alternatives
The procedures in this task use the scripted methods shown in the tabs above. Additional deployment methods including Azure CLI and Bash scripts are available in the azurelocal-toolkit repository under scripts/deploy/.
| Method | Description |
|---|---|
| Azure CLI | PowerShell-based Azure CLI scripts for Azure resource operations |
| Bash | Linux/macOS compatible shell scripts for pipeline environments |
Navigation
| Previous | Up | Next |
|---|---|---|
| ← Task 04: Create Environments | Phase 01: CI/CD Setup | Task 06: Deploy Runners -> |
Troubleshooting
| Issue | Cause | Resolution |
|---|---|---|
| Variable group not accessible | Pipeline authorization missing | Authorize the pipeline to use the variable group |
| Secret variables not resolving | Key vault integration misconfigured | Verify key vault access policy and service connection |
Version Control
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0.0 | 2025-03-25 | Azure Local Cloud | Initial release |