Channels
#azure
Title
a
astonishing-exabyte-93491
06/22/2023, 3:47 PM👋 Hello folks,
I need to use the azure-cli and pulumi in a CD pipeline execution context. What’s the Azure idiomatic way to deal with authentication? Should I use a Service Principal to this end?
i
icy-doctor-13719
06/22/2023, 4:02 PMI use a combination of Pulumi access key and Azure AD Service Principal that I assign Azure RBAC roles to allow it to interact with the subscription. Can use
az Copy code
az ad sp create-for-rbac --name sp-REPLACE-WITH-NAMEyou can create a provider resource that has all of those details once created as well:
Copy code
new Pulumi.AzureNative.Provider(pulumiName, new Pulumi.AzureNative.ProviderArgs()
{
SubscriptionId = subscriptionId,
ClientId = servicePrincipalId,
ClientSecret = servicePrincipalSecret,
TenantId = tenantId
});store those values in your pulumi configuration files:
Copy code
pulumi config set azure-native:clientId $ARM_CLIENT_ID
pulumi config set azure-native:clientSecret $ARM_CLIENT_SECRET --secret
pulumi config set azure-native:tenantId $ARM_TENANT_ID
pulumi config set azure-native:subscriptionId $ARM_SUBSCRIPTION_ID Copy code
private static Pulumi.Config config = new Pulumi.Config();
var subscriptionId = config.Get("subscriptionId");i use GitHub Actions for my CD … and I store the object returned from the
az Copy code
# Log in to Azure
- uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}m
millions-journalist-34868
06/22/2023, 4:23 PMIn addition to Patrck's answer, pulumi now supports OIDC for Azure providers so you don't even need to use the service principal secret in your pipeline https://www.pulumi.com/blog/oidc-with-azure/ I think this would even be better in terms of security but what explained Patrick with a secret works as well.
a
astonishing-exabyte-93491
06/22/2023, 7:19 PMPretty cool.
Thanks @icy-doctor-13719 and @millions-journalist-34868