hi Reuben, in our pipeline templates
we use a ssl cert, setting up a few env variables in an AzureCli@2 inline script task:
# Variables required by Pulumi's Azure providers.
$certLocalPath = "${{ variables.cert_local_path }}"
Write-Host "##vso[task.setvariable variable=ARM_SUBSCRIPTION_ID]$(PULUMISTORAGEACCOUNTSUBSCRIPTION)"
Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID]$env:servicePrincipalId"
Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID]$env:tenantId"
Write-Host "##vso[task.setvariable variable=ARM_CLIENT_CERTIFICATE_PATH]$certLocalPath"
Write-Host "##vso[task.setvariable variable=AZURE_SUBSCRIPTION_ID]$(PULUMISTORAGEACCOUNTSUBSCRIPTION)"
Write-Host "##vso[task.setvariable variable=AZURE_CLIENT_ID]$env:servicePrincipalId"
Write-Host "##vso[task.setvariable variable=AZURE_TENANT_ID]$env:tenantId"
Write-Host "##vso[task.setvariable variable=AZURE_CERTIFICATE_PATH]$certLocalPath"
Then we download the service principal cert to $certLocalPath
inlineScript: |
$certData = try { [Convert]::FromBase64String('$(PRIMARYSERVICEPRINCIPALCERTIFICATE)') } catch {}
if ($certData) {
Write-Host '--- Decode & create service principal certificate ---'
Set-Content ${{ variables.cert_local_path }} -Value $certData -AsByteStream
} else {
Write-Host '--- Certificate data is missing or invalid. Skipping certificate file creation. ---'
Write-Host '--- This is fine if your pipeline does not create any Azure resources. ---'
}
of course rbac perms for the principal are required. We bootstrap that via pulumi as well on a different stack...
Hope this helps!