Author : MD TAREQ HASSAN | Updated : 2021/10/29
To Use Azure Blob Container as Backend
Following environment variables must be set (in local machine or in Azure DevOps Pipeline Agent VM)
AZURE_STORAGE_ACCOUNTAZURE_STORAGE_KEY(orAZURE_STORAGE_SAS_TOKEN)
Best practice for Azure DevOps Pipeline
- Put AZURE_STORAGE_ACCOUNT
&AZURE_STORAGE_KEY` in Azure KeyVault as secrets - Link secrets to variable group and use variable group in pipeline
- See: Linking KeyVault Secrets to Variable Group
To Use Azure KeyVault Key for Pulumi Secrets
Following environment variables must be set (in local machine or in Azure DevOps Pipeline Agent VM)
AZURE_CLIENT_SECRETAZURE_CLIENT_IDAZURE_TENANT_ID
In local machine, you can set ``
**Alternatively, set environment variable “AZURE_KEYVAULT_AUTH_VIA_CLI” to true
- Connect to Azure using Azure CLI
- Pulumi CLI will get token from Azure CLI
To Deploy Stack To Target Subscription
Pulumi CLI can authenticate to Azure using either of followings
- Azure CLI: simply connect to Azure using Azure CLI (i.e.
az login), Pulumi CLI will get token from Azure CLI - Service Principal: make tokens available to Pulumi
Making tokens available to Pulumi when using Service Principal Set environment variables
ARM_CLIENT_IDARM_CLIENT_SECRETARM_TENANT_IDARM_SUBSCRIPTION_ID
Or set configuration secrets
pulumi config set azure:clientId <clientID> --secret
pulumi config set azure:clientSecret <clientSecret> --secret
pulumi config set azure:tenantId <tenantID> --secret
pulumi config set azure:subscriptionId <subscriptionId> --secret
Getting Environment Variable Value in Code
//
// TenantId is saved as Environment Variable in either
// - Local Machine
// - Azure DevOps Pipeline Agent VM
//
const string EnvVarKeyTenantId = "AZURE_TENANT_ID";
var tenantId = Environment.GetEnvironmentVariable(EnvVarKeyTenantId, EnvironmentVariableTarget.Process); # .Machine for windows only, .User might not work