Azure Dynamic provider credentials support #817
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request add support to manage Azure Dynamic Provider credentials so Terrakube can automatically authenticate with Azure without storing any service principal secret.
Generate Public and Private Key.
To use Azure Dynamic Provider credentials we need to genera a public and private key that will be use to generate a validate the federated tokens, we can use the following commands
You need to make sure the private key starts with "-----BEGIN PRIVATE KEY-----" if not the following command can be used to transform the private key to the correct format
The public and private key need to be mounted inside the container and the path should be specify in the following environment variables
Public Endpoints Requirements
To use Azure Dynamic Provider credentials the following public endpoints were added and need to be accessible so Azure Entra can validate the federated token.
Environment Variables:
The following environment variables were added:
Register Application
We need to register a new application in Microsoft Entra like the following example:
Once we have the application we need to add a federated credential.
Select type "Other" and fill the following information:
You need to grant access to your azure resources to the application, for example "Contributor" or any other role
Inside our workspace you will have to add the following environment variables
When running a job Terrakube will correctly authenticate to Azure without any credentials inside the workspace
Terraform example using the CLI driven workflow:
Running example: