https://pulumi.com logo
Title
e

elegant-stone-54832

06/02/2021, 6:54 PM
Is there any chance to use Azure CLI to authenticate against Azure BlobStorage when using it as a custom pulumi backend?
w

worried-knife-31967

06/02/2021, 9:08 PM
You mean storing state in blob storage? Then using the CLI to generate a SASKey?
e

elegant-stone-54832

06/02/2021, 9:29 PM
u mean using Azure CLI to generate SASKey?
w

worried-knife-31967

06/03/2021, 8:42 AM
Yes, that's what we do.
e

elegant-stone-54832

06/03/2021, 8:44 AM
where do you store this secret?
b

better-shampoo-48884

06/03/2021, 5:50 PM
I set this:
AZURE_KEYVAULT_AUTH_VIA_CLI=true
AZURE_STORAGE_ACCOUNT=the-name-of-the-storage-account-resource
AZURE_STORAGE_KEY=one-of-the-two-storage-keys-on-the-keyvault-not-a-url-to-anything
AZURE_STORAGE_KEY being one of these two:
and a good place to store that for ci/cd would be keyvault
e

elegant-stone-54832

06/03/2021, 6:13 PM
@better-shampoo-48884 thank you for your reply. My question is, why this is so complicated, when it could be so much easier? Imo pulumi should just enable Azure Ad authentication for blob storage. Then I just could use the user/principal of Azure Cli. Or am I overseeing something here?
b

better-shampoo-48884

06/03/2021, 6:44 PM
I think it's fairly typical to use these keys for integration work. and when dealing with ci/cd, it's typically system-to-system integration - and it seems like keys are the prefered option when it comes to storage accounts. "go figure".
e

elegant-stone-54832

06/03/2021, 8:23 PM
@better-shampoo-48884 It maybe typical to use SAS token, but it is a general good practice to avoid any secrets. Also Microsoft is recommending to not use SAS, but use Azure AD instead. "Azure AD provides superior security and ease of use over Shared Key for authorizing requests to Blob storage. For more information, seeĀ Authorize access to Azure blobs and queues using Azure Active Directory." (https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations#identity-and-access-management)
Maybe @tall-librarian-49374 can shed some light here.