How to connect with Azure

Last updated: June 29, 2024

Integrating Spacelift with Azure allows for secure and efficient management of your infrastructure using temporary, dynamically generated credentials. This ensures high security standards by avoiding long-lived static credentials and supports compliance with audit trails.

For the full detailed guide, visit Azure Integration Documentation.

Benefits of Using a Cloud Integration

  1. Enhanced Security: Prevents the risks associated with long-lived static credentials by using dynamically generated credentials.

  2. Efficiency: Simplifies management processes by automating credential generation and rotation.

Steps Required for Setup

  1. Create an Azure Integration in Spacelift:

    • Navigate to the Cloud Integrations section of your Spacelift account.

    • Click on the Add your first integration button to start configuring your integration.

    • Provide a name for your integration and enter your Active Directory Tenant ID. Optionally, specify a default subscription ID if needed.

    Note: You can find your Tenant ID in the Azure Active Directory section of the Azure portal. Azure subscriptions can be found in the Subscriptions section of the Azure portal.

  2. Provide Admin Consent:

    • After creating the integration, click on the Provide Consent button, which will redirect you to Azure.

    • Log into your Azure account and grant the necessary permissions. You may see a permissions screen requesting consent for the "Sign in and read user profile" permission. This permission is necessary for the admin consent process but does not sign in as any users or access their information.

    • Note: Azure AD uses eventual consistency to replicate new applications globally. If you encounter an error while granting admin consent, wait a few minutes and try again.

  3. Configure Azure Permissions:

    • A new Enterprise Application will be created for your integration in Azure. You can view this in the Enterprise Applications section of Azure Active Directory.

    • Navigate to the Access Control (IAM) section of the Azure subscription or resource group you want the integration to have access to.

    • Add a new role assignment for the integration to grant it the necessary permissions.

    Note: The integration has no access to any of your Azure infrastructure unless explicitly granted the appropriate permissions.

  4. Attach the Integration to a Stack:

    • Navigate to the stack you want to attach the integration to.

    • Go to the stack's settings and choose the integrations tab.

    • Select the Azure option, choose your integration, specify a subscription ID if needed, and define whether the integration should be used for read, write, or both phases.

    • Click on the Attach button to finalize the attachment.

  5. Static Credentials (Optional):

    • If you prefer to use static credentials, create an Azure Service Principal and grant it access to your Azure subscription.

    • Configure the Azure Provider in Spacelift to use the Service Principal via environment variables. This method is useful when using the public worker pool or workers not hosted in Azure.

Additional Information

  • Managed Identities: When using private workers hosted in Azure, you can configure the Azure provider to use managed identities, which automatically handle secret rotation.

  • Deleting an Integration: If you need to delete an integration, ensure it is not being used by any stacks. Deleting the integration does not remove the Enterprise Application from Azure AD; you must do this manually.

  • Credential Expiry and Rotation: When using static credentials, manage credential rotation to avoid disruptions. Managed identities automatically handle this process.

For more detailed instructions and examples, refer to the full Azure Integration Documentation.