nextflow-io · pditommaso · May 22, 2025 · May 15, 2025 · May 16, 2025 · May 21, 2025
@@ -34,6 +34,14 @@ The value of `sasToken` is the token stripped by the character `?` from the begi
 
 Once the Blob Storage credentials are set, you can access the files in the blob container like local files by prepending the file path with `az://` followed by the container name. For example, a blob container named `my-data` with a file named `foo.txt` can be specified in your Nextflow script as `az://my-data/foo.txt`.
 
+:::{tip}
+Nextflow will use the following environment variables if storage settings are not provided in the Nextflow config file:
+
+- `AZURE_STORAGE_ACCOUNT_NAME`: The name of your Azure Storage account.
+- `AZURE_STORAGE_ACCOUNT_KEY`: The access key for your Azure Storage account.
+- `AZURE_STORAGE_SAS_TOKEN`: A shared access signature (SAS) token for Azure Storage access.
+:::
+
 ## Azure File Shares
 
 *New in `nf-azure` version `0.11.0`*
@@ -155,6 +163,13 @@ Replacing `<PIPELINE NAME>` with a pipeline name e.g. `nextflow-io/rnaseq-nf` an
 
 See the [Batch documentation](https://docs.microsoft.com/en-us/azure/batch/quick-create-portal) for further details about the configuration for Azure Batch.
 
+:::{tip}
+Nextflow will use the following environment variables if the Batch settings are not provided in the Nextflow config file:
+
+- `AZURE_BATCH_ACCOUNT_NAME`: The name of your Azure Batch account.
+- `AZURE_BATCH_ACCOUNT_KEY`: The access key for your Azure Batch account.
+:::
+
 ### Autopools
 
 When using the `autoPoolMode` option, Nextflow automatically creates a `pool` of compute nodes appropriate for your pipeline.
@@ -387,6 +402,13 @@ The private registry is an addition, not a replacement, to the existing configur
 When using containers hosted in a private registry, the registry name must also be provided in the container name specified via the {ref}`container <process-container>` directive using the format: `[server]/[your-organization]/[your-image]:[tag]`. Read more about fully qualified image names in the [Docker documentation](https://docs.docker.com/engine/reference/commandline/pull/#pull-from-a-different-registry).
 :::
 
+:::{tip}
+Nextflow will use the following environment variables if the registry credentials are not provided in the Nextflow config file:
+
+- `AZURE_REGISTRY_USER_NAME`: The username for Azure Container Registry authentication
+- `AZURE_REGISTRY_PASSWORD`: The password for Azure Container Registry authentication
+:::
+
 ### Virtual Network
 
 :::{versionadded} 23.03.0-edge
@@ -526,6 +548,12 @@ azure {
 }
 ```
 
+:::{note}
+Nextflow will use the following environment variable if the managed identity setting is not provided in the Nextflow config file:
+
+- `AZURE_MANAGED_IDENTITY_SYSTEM`: When set to `true`, enables system-assigned managed identity.
+:::
+
 #### User Assigned Managed Identity
 
 A system-assigned managed identity is essentially 'anonymous' and is tied to a single resource. By comparison, a user-assigned managed identity is created by the user and can be assigned to multiple resources, furthermore the lifecycle of a user-assigned managed identity is not tied to the resource. See [the Azure Documentation](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/managed-identity-best-practice-recommendations#choosing-system-or-user-assigned-managed-identities) for further details.
@@ -556,6 +584,12 @@ azure {
 }
 ```
 
+:::{note}
+Nextflow will use the following environment variable if the managed identity client ID is not provided in the Nextflow config file:
+
+- `AZURE_MANAGED_IDENTITY_USER`: The client ID for a user-assigned managed identity.
+:::
+
 (azure-service-principal)=
 
 ### Service Principals
@@ -586,6 +620,14 @@ azure {
 }
 ```
 
+:::{note}
+Nextflow will use the following environment variables if the service principal settings are not provided in the Nextflow config file:
+
+- `AZURE_CLIENT_ID`: The service principal client ID (also known as application ID).
+- `AZURE_CLIENT_SECRET`: The service principal secret key.
+- `AZURE_TENANT_ID`: The Azure Active Directory tenant ID.
+:::
+
 ## Advanced configuration
 
 Read the {ref}`Azure configuration<config-azure>` section to learn more about advanced configuration options.
@@ -294,13 +294,13 @@ Read the {ref}`azure-page` page for more information.
 The following settings are available:
 
 `azure.activeDirectory.servicePrincipalId`
-: The service principal client ID
+: The service principal client ID. Defaults to environment variable `AZURE_CLIENT_ID`.
 
 `azure.activeDirectory.servicePrincipalSecret`
-: The service principal client secret
+: The service principal client secret. Defaults to environment variable `AZURE_CLIENT_SECRET`.
 
 `azure.activeDirectory.tenantId`
-: The Azure tenant ID
+: The Azure tenant ID. Defaults to environment variable `AZURE_TENANT_ID`.
 
 `azure.azcopy.blobTier`
 : The blob [access tier](https://learn.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview) used by `azcopy` to upload files to Azure Blob Storage. Valid options are `None`, `Hot`, or `Cool` (default: `None`).
@@ -309,10 +309,10 @@ The following settings are available:
 : The block size (in MB) used by `azcopy` to transfer files between Azure Blob Storage and compute nodes (default: 4).
 
 `azure.batch.accountName`
-: The batch service account name.
+: The batch service account name. Defaults to environment variable `AZURE_BATCH_ACCOUNT_NAME`.
 
 `azure.batch.accountKey`
-: The batch service account key.
+: The batch service account key. Defaults to environment variable `AZURE_BATCH_ACCOUNT_KEY`.
 
 `azure.batch.allowPoolCreation`
 : Enable the automatic creation of batch pools specified in the Nextflow configuration file (default: `false`).
@@ -415,10 +415,10 @@ The following settings are available:
 : Specify the virtual machine type used by the pool identified with `<name>`.
 
 `azure.managedIdentity.clientId`
-: Specify the client ID for an Azure [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview). See {ref}`azure-managed-identities` for more details.
+: Specify the client ID for an Azure [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview). See {ref}`azure-managed-identities` for more details. Defaults to environment variable `AZURE_MANAGED_IDENTITY_USER`.
 
 `azure.managedIdentity.system`
-: When `true`, use the system-assigned [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) to authenticate Azure resources. See {ref}`azure-managed-identities` for more details.
+: When `true`, uses the system-assigned [managed identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) to authenticate Azure resources. See {ref}`azure-managed-identities` for more details. Defaults to environment variable `AZURE_MANAGED_IDENTITY_SYSTEM`.
 
 `azure.registry.server`
 : Specify the container registry from which to pull the Docker images (default: `docker.io`).