Environment Variables¶
This page is the reference for environment variables recognized by udp-cicd, and for the variable syntaxes that read from the environment inside udp.yml.
1. Recognized environment variables¶
1.1 Authentication¶
| Variable | Required | Description |
|---|---|---|
AZURE_TENANT_ID |
For SP auth | Entra ID (Azure AD) tenant GUID |
AZURE_CLIENT_ID |
For SP auth | Service principal application (client) ID |
AZURE_CLIENT_SECRET |
For SP auth | Service principal client secret |
FABRIC_USE_BROWSER |
No | Set to true to force interactive browser sign-in |
Credential selection (handled by FabricAuth via Azure.Identity) follows this order:
| Condition | Credential used |
|---|---|
AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET all set |
ClientSecretCredential |
FABRIC_USE_BROWSER=true |
InteractiveBrowserCredential |
| Otherwise | DefaultAzureCredential (managed identity, environment, or az login session) |
1.2 Fabric¶
| Variable | Required | Description |
|---|---|---|
FABRIC_CAPACITY_ID |
No | Capacity GUID used for workspace creation during deploy and init, as an alternative to setting capacity_id in udp.yml. |
1.3 Storage (remote state)¶
| Variable | Required | Description |
|---|---|---|
AZURE_STORAGE_ACCOUNT_NAME |
For azureblob / adls backends |
Storage account name for the Azure Blob or ADLS Gen2 state backend. |
2. Environment variables in udp.yml¶
Reference any environment variable in udp.yml with ${env.VARIABLE_NAME}:
3. Secret variables¶
Reference with ${secret.NAME}:
Secrets are resolved by the SecretsResolver from environment variables at deploy time. The secret. prefix is a convention; it reads from the same environment as ${env.NAME} but marks the value as sensitive.
4. Key Vault variables¶
Reference with ${keyvault.VAULT_NAME.SECRET_NAME}:
Key Vault secrets are fetched through the Azure Key Vault SecretClient and cached for the duration of the run. No additional installation is required; the Azure SDK is built into the tool. The lookup authenticates with the same credential chain described in section 1.1, so the identity must have secret read permission on the vault.
5. Built-in deployment variables¶
The following variables are always available in udp.yml:
| Variable | Value |
|---|---|
${deployment.name} |
Deployment name from deployment.name |
${deployment.version} |
Deployment version from deployment.version |
6. State backend configuration¶
Deployment state (deployment-state.json) can be stored locally or in a remote backend. Configure the backend in udp.yml:
state:
backend: onelake # or: azureblob, adls, local
config:
workspace_id: "guid" # OneLake
lakehouse_id: "guid" # OneLake
account_name: "storage" # azureblob / adls
container_name: "state" # azureblob
filesystem: "state" # adls
account_key: "..." # azureblob (optional, uses DefaultAzureCredential)
| Backend | Storage | Status |
|---|---|---|
local |
JSON file on the local filesystem | Stable |
azureblob |
Azure Blob Storage | Beta |
onelake / adls |
OneLake / ADLS Gen2 | Beta |
Note
For the Blob and ADLS backends, omit
account_keywhere possible so the tool authenticates withDefaultAzureCredentialinstead of a shared key. The account name can also be supplied through theAZURE_STORAGE_ACCOUNT_NAMEenvironment variable.