User specific environmental variables...with a dedicated maintenance account on that VM...that's not a bad idea.  I keep hearing about environmental variables, but I always assume they are talking about system ones.  

I'll give this a try, but try out your other proposal.  See how that goes...

Thanks!

We actually found another way to handle this via Azure.

Our Azure engineer didn't like the environmental variable option...felt it was still too insecure to keep passwords/keys.

We ended up using Azure Key Vault and an Azure VM.

So, we created an Azure 2019 server VM, installed all the Python programs and modules needed on it.

Then, we created an Azure Key Vault to store the various passwords and secrets (The VM and the KeyVault are all in the same Resource Group for simpler management).  

We use a hybrid on-prem AD and Azure environment, so this setup was easier because of that.

We ended up giving our AD accounts access to the KeyVault AND we gave the Azure VM itself access to the KeyVault via RBAC (basically, via Managed Identity).  

On the VM and on your local laptop, you need to install the Azure-KeyVault-Secrets and Azure-Identity modules.  

azure · PyPI

azure-identity · PyPI

This website gives a great breakdown on how the Azure Identity module connects your code to Azure.

Authenticate to Azure from Python | Thomas Stringer (trstringer.com)

Example code:

import os  #to use for the KeyVault name

from azure.keyvault.secrets import SecretClient

from azure.identity import DefaultAzureCredential

#Code that needs to be in your script to connect to the KeyVault

azureCredentials = DefaultAzureCredential()

keyVaultName = os.environ.get('KeyVault')

#we put the KeyVault Name as an environmental variable on the local machine

KVUri = f'https://{keyVaultName}.vault.azure.net' 

#the KeyVault URI from its Azure settings

global client

#makes the client variable a global variable in the script in case you need to call it from anywhere in your code

#connects to the Key Vault

client = SecretClient(vault_url=KVUri, credential=azureCredentials)

#You can then retrieve secrets from the KeyVault to use when connecting to various systems.  

retrievedSecret = client.get_secret('SECRETNAME')

password = retrievedSecret.value

On the Azure VM, it will use managed identity to connect to Azure.  On your local laptop, it will use your local user credentials to connect to Azure, which is usually a GUI pop-up.  

We were then able to use a local admin account to run our scheduled scripts on the Azure VM via Task Scheduler.

And because of the way the Azure-Identity module works, we don't have to modify our code a single bit to connect to Azure and Key Vault, whether it is running on my local laptop, or on the Azure VM with a local non-domain admin account.  

If you use VS Code, there is an Azure Account extension you can use to connect your VS Code program to Azure to use the Azure-Identity module.  

Hope this helps some folks out there.