Configuring OpenID Connect for Azure with Pulumi Deployments

This document outlines the steps required to configure Pulumi Deployments to use OpenID Connect to authenticate with Azure. OIDC in Azure uses workload identity federation to access Azure resources via a Microsoft Entra App. Access to the temporary credentials is authorized using federated credentials that validate the contents of the OIDC token issued by Pulumi Cloud.

Configuring OIDC for Azure involves two sides:

1. Azure — register a Microsoft Entra application with federated credentials that trust Pulumi Cloud, and grant its service principal access to your resources. You can do this in the Azure portal or programmatically.
2. Pulumi Deployments — enable the Azure OIDC integration for your stack so that each deployment exchanges its OIDC token for credentials from that application. You can do this in the Pulumi Cloud console or programmatically with the Pulumi Service provider.

Prerequisites

• You must have access in the Azure Portal to create and configure Microsoft Entra App registrations.

Configure Azure

Using the Azure portal

Create a Microsoft Entra application

In the navigation pane of the Microsoft Entra console:

1. Select App registrations and then click New registration.
2. Provide a name for your application (ex: pulumi-deployments-oidc-app).
3. In the Supported account types section, select Accounts in this organizational directory only.
4. Click Register.

After the Microsoft Entra application has been created, take note of the following details:

• Subscription ID
• Application (client) ID
• Directory (tenant) ID

These values will be necessary when enabling OIDC for your service.

Add federated credentials

Once you have created your new application registration, you will be redirected to the application’s Overview page. In the left navigation menu:

1. Navigate to the Certificates & secrets pane.
2. Select the Federated credentials tab.
3. Click on the Add credential button. This will start the “Add a credential” wizard.
4. In the wizard, select Other Issuer as the Federated credential scenario.
5. Fill in the remaining form fields as follows:
   • Issuer: https://api.pulumi.com/oidc
   • Subject Identifier: must be a valid subject claim (see examples at the end of this section).
   • Name: An arbitrary name for the credential, e.g. “pulumi-oidc-credentials”.
   • Audience: Enter the name of your Pulumi organization.

Subject claim examples

Because Azure’s federated credentials require that the subject identifier exactly matches an OIDC token’s subject claim, this process must be repeated for each permutation of the subject claim that is possible for a stack. For example, in order to enable all of the valid operations on a stack named dev of the core project in the contoso organization, you would need to create credentials for each of the following subject identifiers:

• pulumi:deploy:org:contoso:project:core:stack:dev:operation:preview:scope:write
• pulumi:deploy:org:contoso:project:core:stack:dev:operation:update:scope:write
• pulumi:deploy:org:contoso:project:core:stack:dev:operation:refresh:scope:write
• pulumi:deploy:org:contoso:project:core:stack:dev:operation:destroy:scope:write

Create a service principal

To provide Pulumi services the ability to deploy, manage, and interact with Azure resources, you need to associate your Microsoft Entra application with your Subscription or Resource Group.

1. Navigate to the Subscriptions page of the Azure portal.
2. Select the subscription to create the service principal in.
   • If you want to limit access to a specific resource group, go to the Resource Groups page instead and select the desired resource group.
3. In the left navigation menu, select Access control (IAM).
4. Click Add > Add role assignment to be taken to the Add role assignment wizard.
5. Under the Job function roles tab, select the desired role from the list, then click Next.
6. Select User, group, or service principal, then click Select members
7. Enter the name of the application you created in a previous step, select it from the list, then click Select.
8. Click Next and then Review + assign.

Using infrastructure as code

You can create the Entra application, federated credentials, service principal, and role assignment with a Pulumi program instead of the portal. The following example uses TypeScript with the Azure AD provider and the Azure Native provider; the same resources are available in every Pulumi language.

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";
import * as authorization from "@pulumi/azure-native/authorization";

const org = "contoso";
const project = "core";
const stack = "dev";

const current = authorization.getClientConfigOutput();

// Register an Entra application and a matching service principal.
const app = new azuread.Application("pulumi-deployments-oidc", {
    displayName: "pulumi-deployments-oidc",
});

const servicePrincipal = new azuread.ServicePrincipal("pulumi-deployments-oidc", {
    clientId: app.clientId,
});

// Grant the service principal access to your subscription. "Contributor" is shown
// here; scope this down for production.
const contributorRoleId = "b24988ac-6180-42a0-ab88-20f7382dd24c";
const subscriptionScope = pulumi.interpolate`/subscriptions/${current.subscriptionId}`;

new authorization.RoleAssignment("pulumi-deployments-contributor", {
    principalId: servicePrincipal.id,
    principalType: "ServicePrincipal",
    roleDefinitionId: pulumi.interpolate`${subscriptionScope}/providers/Microsoft.Authorization/roleDefinitions/${contributorRoleId}`,
    scope: subscriptionScope,
});

// Azure federated credentials require an exact subject match (no wildcards), so add
// one credential per operation.
for (const operation of ["preview", "update", "refresh", "destroy"]) {
    new azuread.ApplicationFederatedIdentityCredential(`cred-${operation}`, {
        applicationId: app.id,
        displayName: operation,
        issuer: "https://api.pulumi.com/oidc",
        audiences: [org],
        subject: `pulumi:deploy:org:${org}:project:${project}:stack:${stack}:operation:${operation}:scope:write`,
    });
}

export const clientId = app.clientId;
export const tenantId = current.tenantId;
export const subscriptionId = current.subscriptionId;

Configure Pulumi Deployments

Using the Pulumi Cloud console

1. Navigate to your stack in the Pulumi Console.
2. Open the stack’s Settings tab.
3. Choose the Deploy panel.
4. Under the OpenID Connect header, toggle Enable Azure Integration.
5. Enter the client and tenant IDs for the app registration created above in the Client ID and Tenant ID fields, respectively.
6. Enter the ID of the subscription you want to use in the Subscription ID field.
7. Click the Save deployment configuration button.

Using infrastructure as code

You can manage the same deployment settings in source control with the pulumiservice.DeploymentSettings resource (the OIDC configuration is set under operationContext.oidc.azure). Deployment settings can also be configured via the REST API.

import * as pulumiservice from "@pulumi/pulumiservice";

new pulumiservice.DeploymentSettings("deployment-settings", {
    organization: "contoso",
    project: "core",
    stack: "dev",
    operationContext: {
        oidc: {
            azure: {
                clientId: "<application-client-id>",
                tenantId: "<directory-tenant-id>",
                subscriptionId: "<subscription-id>",
            },
        },
    },
});

With this configuration, each deployment of this stack will attempt to exchange the deployment’s OIDC token for Azure credentials using the specified AAD App prior to running any pre-commands or Pulumi operations. The fetched credentials are published in the ARM_CLIENT_ID, ARM_TENANT_ID, and ARM_SUBSCRIPTION_ID environment variables. The raw OIDC token is also available for advanced scenarios in the PULUMI_OIDC_TOKEN environment variable and the /mnt/pulumi/pulumi.oidc file.

For a full end-to-end example that configures both sides together, see this TypeScript example.