Setting up Azure and GCP credentials for Spacelift Intent»

Azure credentials»

Get your tenant id.

    $ az account show --query 'tenantId'`
    "<YOUR-TENANT-ID>"

Get your subscription id.

  $ az account subscription list --query '[].{name:displayName,id:id}'
    [ ... , { "id": "<YOUR-SUBSCRIPTION-ID>", "name": "..." }, ... ]

Optionally, create a role (role.json).

    {
      "Name": "example-role”,
      "IsCustom": true,
      "Description": "example-role",
      "Actions": [
        "Microsoft.Resources/subscriptions/<ACTIONS…>"
      ],
      "NotActions": [],
      "DataActions": [],
      "NotDataActions": [],
      "AssignableScopes": [
        "/subscriptions/<YOUR-SUBSCRIPTION-ID>"
      ]
    }

    $ az role definition create --role-definition role.json

Create a service principal.

    $ az ad sp create-for-rbac --name "example-name" --role "example-role" --scopes "/subscriptions/<YOUR-SUBSCRIPTION-ID>"
    {
    "appId": "<YOUR-CLIENT-ID>",
    "displayName": "example-name",
    "password": "<YOUR-CLIENT-PASSWORD>",
    "tenant": "<YOUR-TENANT-ID>"
    }

Get client id and client password from above and setup env vars.

  ARM_CLIENT_ID="<YOUR-CLIENT-ID>"
  ARM_CLIENT_SECRET="<YOUR-CLIENT-PASSWORD>"
  ARM_TENANT_ID="<YOUR-TENANT-ID>"
  ARM_SUBSCRIPTION_ID="<YOUR-SUBSCRIPTION-ID>"

Azure environment setup

Google credentials»

Configuring Google credentials for Intent follows the same steps as setting up GCP for Spacelift. Once configured, your Intent project environment should contain:

Environment variables:
- GOOGLE_APPLICATION_CREDENTIALS — path to the JSON configuration file (e.g., /mnt/workspace/gcp.json).
- GOOGLE_PROJECT — your GCP project name (optional).
Mounted files:
- gcp.json — the JSON configuration file downloaded from GCP.
- spacelift.oidc — automatically mounted by Spacelift.