Setting up Azure and GCP credentials for Spacelift Intent
Azure credencials
| $ az account show --query 'tenantId'`
"<YOUR-TENANT-ID>"
|
| $ az account subscription list --query '[].{name:displayName,id:id}'
[ ... , { "id": "<YOUR-SUBSCRIPTION-ID>", "name": "..." }, ... ]
|
- Optionally - create a role (role.json):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16 | {
"Name": "example-roleβ,
"IsCustom": true,
"Description": "example-role",
"Actions": [
"Microsoft.Resources/subscriptions/<ACTIONSβ¦>"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/<YOUR-SUBSCRIPTION-ID>"
]
}
$ az role definition create --role-definition role.json
|
- Create service principal:
| $ az ad sp create-for-rbac --name "example-name" --role "example-role" --scopes "/subscriptions/<YOUR-SUBSCRIPTION-ID>"
{
"appId": "<YOUR-CLIENT-ID>",
"displayName": "example-name",
"password": "<YOUR-CLIENT-PASSWORD>",
"tenant": "<YOUR-TENANT-ID>"
}
|
- Get client id and client password from above and setup env vars:
| ARM_CLIENT_ID="<YOUR-CLIENT-ID>"
ARM_CLIENT_SECRET="<YOUR-CLIENT-PASSWORD>"
ARM_TENANT_ID="<YOUR-TENANT-ID>"
ARM_SUBSCRIPTION_ID="<YOUR-SUBSCRIPTION-ID>"
|
Google credencials
We need to follow docs - with slightly change (file path to spacelift.oidc and gcp.json):
Setup OIDC file location (intent workspace is in /app instead of /mnt/workspace):
Setup JSON configuration (/app as well):
At the end we need:
GOOGLE_APPLICATION_CREDENCIALS=<pointing-to-JSON-configuration-file>GOOGLE_PROJECT=<project name> (optional)gcp.json - JSON configuration filespacelift.oidc will be automatically mounted.
