Task 05: Configure Environment Variables
DOCUMENT CATEGORY: Runbook Step SCOPE: CI/CD pipeline variable configuration PURPOSE: Configure environment variables for Azure authentication MASTER REFERENCE: See platform-specific docs below
Status: Active Applies To: All Azure Local deployments Last Updated: 2026-03-19
Objective
Configure CI/CD pipeline environment variables for each target Azure subscription.
Prerequisites
- Environments created (Task 04)
- Bootstrap values from Task 01 (
ARM_CLIENT_ID,ARM_CLIENT_SECRET)
Variables from variables.yml
| Variable | Config Path | Example |
|---|---|---|
| Tenant ID | azure.tenant_id | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| Subscription ID | azure.subscription.id | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| SPN Client ID | identity.service_principal.app_id | xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
| SPN Client Secret | keyvault://<vault>/automation-spn-secret | (Key Vault reference) |
Required Variables
Configure the following variables for each target Azure subscription:
| Variable | Description | Sensitivity |
|---|---|---|
ARM_TENANT_ID | Entra ID tenant ID | Masked |
ARM_SUBSCRIPTION_ID | Azure subscription ID | Masked |
ARM_CLIENT_ID | azurelocal-cicd App Registration ID (from Task 01) | Masked |
ARM_CLIENT_SECRET | azurelocal-cicd App Registration secret (from Task 01) | Secret |
Procedure
- GitHub
- GitLab
- Azure DevOps
Configure Repository Secrets
- Navigate to your repository → Settings → Secrets and variables → Actions
- Click New repository secret for each variable:
| Secret Name | Value |
|---|---|
ARM_TENANT_ID | Entra ID tenant ID |
ARM_SUBSCRIPTION_ID | Azure subscription ID |
ARM_CLIENT_ID | App Registration client ID |
ARM_CLIENT_SECRET | App Registration client secret |
Environment-Scoped Secrets (Recommended)
For multi-environment deployments, use environment-scoped secrets:
- Go to Settings → Environments → select environment (e.g.
azr-prod-us) - Under Environment secrets, click Add secret
- Add environment-specific values for
ARM_SUBSCRIPTION_ID(and others if they differ per environment)
Tip: Repository-level secrets apply to all environments. Use environment secrets to override per environment.
Configure CI/CD Variables
- Navigate to Settings → CI/CD
- Expand Variables
- Click Add variable for each required variable:
| Variable | Configuration |
|---|---|
| ARM_TENANT_ID | |
| Type | Variable |
| Environments | Select target environment |
| Flags | Masked |
| Value | Entra ID tenant ID |
| Variable | Configuration |
|---|---|
| ARM_SUBSCRIPTION_ID | |
| Type | Variable |
| Environments | Select target environment |
| Flags | Masked |
| Value | Azure subscription ID |
| Variable | Configuration |
|---|---|
| ARM_CLIENT_ID | |
| Type | Variable |
| Environments | Select target environment |
| Flags | Masked |
| Value | azurelocal-cicd App Registration ID (from Task 01) |
| Variable | Configuration |
|---|---|
| ARM_CLIENT_SECRET | |
| Type | Variable |
| Environments | Select target environment |
| Flags | Masked |
| Value | azurelocal-cicd App Registration secret (from Task 01) |
Tip: Scope variables to specific environments to support multi-subscription deployments.
Create Variable Group
- Navigate to Pipelines → Library
- Click + Variable group
- Name it:
azure-credentials-<environment>(e.g.azure-credentials-azr-prod-us) - Add variables:
| Variable | Value | Lock |
|---|---|---|
ARM_TENANT_ID | Entra ID tenant ID | 🔒 |
ARM_SUBSCRIPTION_ID | Azure subscription ID | 🔒 |
ARM_CLIENT_ID | App Registration client ID | 🔒 |
ARM_CLIENT_SECRET | App Registration client secret | 🔒 |
- Click Save
Link to Pipeline
Reference the variable group in your pipeline YAML:
variables:
- group: azure-credentials-azr-prod-us
Tip: Create separate variable groups per environment and link them using pipeline stages.
Verification
- All required variables configured per environment
- Sensitive values are masked/secret
- Variables scoped to correct environments
- Test pipeline can authenticate to Azure