In this third part of Modern IaC solution based on Pulumi I will go through how we handled authentication against Azure and Pulumi in code. I will also show you how we used Azure Key Vault to handle our secrets.
In the previous post Modern IaC solution based on Pulumi – Part 2 I went through our approach to self-manage the Pulumi backend in Azure. It involved creating Azure Blob Storage for storing Pulumi stack states and a Key Vault for config/secret encryption. I also showed how we created a Service Principal for logging in and interacting with Azure.
Before we could start creating our Pulumi projects and stacks using our self-managed backend, we still had some initial tasks to take care of. Tasks such as streamlining the way we log in. Both to Azure and Pulumi. Here’s how to login to Azure as our SP (with the assumption that the variables below have previously been assigned):
# Login to Azure using the SP
az login \
--service-principal \
-u $SP_NAME \
-p $SP_CLIENT_SECRET \
--tenant $TENANT_ID
# Set the current active Azure subscription
az account set --subscription $SUBSCRIPTION_ID
When it comes to do pulumi login successfully we needed to instruct Pulumi to use our Azure Blob Storage by setting a few environment variables in advance:
export AZURE_STORAGE_ACCOUNT=$STORAGE_ACCOUNT_NAME
export AZURE_STORAGE_KEY=$STORAGE_ACCESS_KEY
So we could then do pulumi login, like this:
pulumi login --cloud-url azblob://$BLOB_CONTAINER_NAME
And that is how we handled authentication against Azure and Pulumi in code. Now let’s go on with how we handled our secrets.
Azure Key Vault
As I already mentioned we used the Azure Key Vault for config/secret protection. By default this encryption provider uses environment-based authentication against Azure. In our case that would require us to set the following environment variables:
# Using Client credentials as Authentication type
export AZURE_TENANT_ID=$TENANT_ID
export AZURE_CLIENT_ID=$SP_CLIENT_ID
export AZURE_CLIENT_SECRET=$SP_CLIENT_SECRET
Instead we chose to handle the authentication part via Azure CLI, which required us to set the following environment variable instead:
export AZURE_KEYVAULT_AUTH_VIA_CLI=true
Before we could run pulumi new to create Pulumi projects and their stacks, we had to put together a URI for the Azure Key Vault secret provider:
SECRETS_PROVIDER_URI=azurekeyvault://$KEYVAULT_NAME.vault.azure.net/keys/$ENCRYPTION_KEY_NAME
Now we could do pulumi new to create our first Pulumi project:
pulumi new --secrets-provider=$SECRETS_PROVIDER_URL
Finally we were ready with setting up our self-managed Pulumi backend. And it was time to get productive with creating the real IaC solution. Stay tuned for the next post where I will give an overview of the different Pulumi projects we created and how they relate to each other.