Azure Authentication and Authorization
Terrateam needs permission to access resources in your Azure account.
Credentials are never stored on our servers.
Prerequisites
These instructions require you to run commands from a terminal.
Create a Terrateam Service Principal
A dedicated service principal and client secret is used to access Azure resources.
- Login to the Azure CLI
az login
- Get your Subscription ID
az account list
Example output:
[
{
"cloudName": "AzureCloud",
"id": "00000000-0000-0000-0000-000000000000",
"isDefault": true,
"name": "PAYG Subscription",
"state": "Enabled",
"tenantId": "00000000-0000-0000-0000-000000000000",
"user": {
"name": "user@example.com",
"type": "user"
}
}
]
The id
field is your subscription id
- Export your Subscription ID
export SUBSCRIPTION_ID="<subscription-id>"
- Set the Subscription ID
az account set --subscription "$SUBSCRIPTION_ID"
- Create a
terrateam
service principal
az ad sp create-for-rbac --role="Contributor" \
--scopes="/subscriptions/$SUBSCRIPTION_ID"
Contributor
is an Azure built-in role. This role grants full access to manage all resources,
but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints,
or share image galleries.
This role is merely a suggestion. Choose whichever role makes the most sense for your organization.
Example output:
{
"appId": "00000000-0000-0000-0000-000000000000",
"displayName": "azure-cli-2017-06-05-10-41-15",
"name": "http://azure-cli-2017-06-05-10-41-15",
"password": "0000-0000-0000-0000-000000000000",
"tenant": "00000000-0000-0000-0000-000000000000"
}
The Azure Terraform provider uses different variable names for the above values. See mapping below.
Record the following to use below:
appID
maps toARM_CLIENT_ID
password
maps toARM_CLIENT_SECRET
tenant
maps toARM_TENANT_ID
Add Credentials to GitHub Secrets
Credentials are securely stored in GitHub Secrets and exposed as obfuscated environment variables in the Terrateam GitHub Action runtime environment.
- Export your Terraform
organization/repo
combination as an environment variable.
For example:
export REPO="<OWNER/REPO>"
- Create the Azure Subscription ID GitHub Secret
gh secret --repo "$REPO" set ARM_SUBSCRIPTION_ID --body "$SUBSCRIPTION_ID"
- Create the Azure Client ID (
appID
) GitHub Secret
gh secret --repo "$REPO" set ARM_CLIENT_ID
- Create the Azure Client Secret (
password
) GitHub Secret
gh secret --repo "$REPO" set ARM_CLIENT_SECRET
- Create the Azure Tenant ID (
tenant
) GitHub Secret
gh secret --repo "$REPO" set ARM_TENANT_ID
Azure Terraform Provider
The Azure Terraform provider (opens in a new tab)
will detect and use the ARM_*
GitHub Secrets automatically set in the Terrateam GitHub
Action runtime environment.