Configuring OpenID Connect for Azure
This document outlines the steps required to configure Pulumi Deployments to use OpenID Connect to authenticate with Azure. OIDC in Azure uses workload identity federation to access Azure resources via an Azure Active Directory App. Access to the temporary credentials is authorized using federated credentials that validate the contents of the OIDC token issued by the Pulumi Cloud.
Prerequisites
- You must be an admin of your Pulumi organization.
Creating the Azure Active Directory App
To create the Azure Active Directory App and service principal, see the relevant Azure documentation.
After the AAD App has been created, take note of the Application (client) ID and Directory (tenant) ID. These values will be necessary when enabling OIDC for your stack.
Adding federated credentials
Navigate to the “Certificates & secrets” pane using the sidebar. Then, select the “Federated credentials” tab and click on the “Add credential” button.
In the wizard, select “Other Issuer” as the “Federated credential scenario”.
Finally, fill in the “Issuer”, “Subject Identifier”, “Name”, and “Audience” fields in the form.
- “Issuer” must be
https://api.pulumi.com/oidc
- “Subject Identifier” must be a valid subject claim (see examples at the end of this section).
- “Name” is an arbitrary name for the credential
- “Audience” must be the name of your Pulumi organization
Because Azure’s federated credentials require that the subject identifier exactly matches an OIDC token’s subject claim, this process must be repeated for each permutation of the subject claim that is possible for a stack. For example, in order to enable all of the valid operations on a stack named dev
of the core
project in the contoso
organization, you would need to create credentials for each of the following subject identifiers:
pulumi:deploy:org:contoso:project:core:stack:dev:operation:preview:scope:write
pulumi:deploy:org:contoso:project:core:stack:dev:operation:update:scope:write
pulumi:deploy:org:contoso:project:core:stack:dev:operation:refresh:scope:write
pulumi:deploy:org:contoso:project:core:stack:dev:operation:destroy:scope:write
Enabling OIDC for your Stack
- Navigate to your stack in the Pulumi Console.
- Open the stack’s “Settings” tab.
- Choose the “Deploy” panel.
- Under the “OpenID Connect” header, toggle “Enable Azure Integration”.
- Enter the client and tenant IDs for the app registration created above in the “Client ID” and “Tenant ID” fields, repsectively.
- Enter the ID of the subscription you want to use in the “Subscription ID” field.
- Click the “Save deployment configuration” button.
With this configuration, each deployment of this stack will attempt to exchange the deployment’s OIDC token for Azure credentials using the specified AAD App prior to running any pre-commands or Pulumi operations. The fetched credentials are published in the ARM_CLIENT_ID
, ARM_TENANT_ID
, and ARM_SUBSCRIPTION_ID
environment variables. The raw OIDC token is also available for advanced scenarios in the PULUMI_OIDC_TOKEN
environment variable and the /mnt/pulumi/pulumi.oidc
file.
Thank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.