06/22/2023, 3:47 PM
👋 Hello folks, I need to use the azure-cli and pulumi in a CD pipeline execution context. What’s the Azure idiomatic way to deal with authentication? Should I use a Service Principal to this end?


06/22/2023, 4:02 PM
I use a combination of Pulumi access key and Azure AD Service Principal that I assign Azure RBAC roles to allow it to interact with the subscription. Can use
CLI to create one:
Copy code
az ad sp create-for-rbac --name sp-REPLACE-WITH-NAME
you can create a provider resource that has all of those details once created as well:
Copy code
new Pulumi.AzureNative.Provider(pulumiName, new Pulumi.AzureNative.ProviderArgs()
                SubscriptionId = subscriptionId,
                ClientId = servicePrincipalId,
                ClientSecret = servicePrincipalSecret,
                TenantId = tenantId
store those values in your pulumi configuration files:
Copy code
pulumi config set azure-native:clientId $ARM_CLIENT_ID
pulumi config set azure-native:clientSecret $ARM_CLIENT_SECRET --secret
pulumi config set azure-native:tenantId $ARM_TENANT_ID
pulumi config set azure-native:subscriptionId $ARM_SUBSCRIPTION_ID
can reference them in your code using:
Copy code
private static Pulumi.Config config = new Pulumi.Config();
var subscriptionId = config.Get("subscriptionId");
i use GitHub Actions for my CD … and I store the object returned from the
cli call in a GH Repo Secret and reference that in my step that logs in to azure
Copy code
# Log in to Azure
      - uses: azure/login@v1
          creds: ${{ secrets.AZURE_CREDENTIALS }}


06/22/2023, 4:23 PM
In addition to Patrck's answer, pulumi now supports OIDC for Azure providers so you don't even need to use the service principal secret in your pipeline I think this would even be better in terms of security but what explained Patrick with a secret works as well.


06/22/2023, 7:19 PM
Pretty cool. Thanks @icy-doctor-13719 and @millions-journalist-34868