AzureAD
The Pulumi AzureAD provider uses the AzureAD SDK to manage and provision resources.
Installation
The AzureAD provider is available as a package in all Pulumi languages:
- JavaScript/TypeScript:
@pulumi/azuread
- Python:
pulumi-azuread
- Go:
github.com/pulumi/pulumi-azuread/sdk/v4/go/azuread
- .NET:
Pulumi.AzureAD
- Java:
com.pulumi.azuread
Credentials
Pulumi relies on the AzureAD SDK to authenticate requests from your computer to AzureAD. Your credentials are never sent to pulumi.com. The Pulumi AzureAD Provider needs to be configured with AzureAD credentials before it can be used to create resources.
Pulumi can authenticate to Azure using a Service Principal or the Azure CLI.
If you’re running the Pulumi CLI locally, in a developer scenario, we recommend using the Azure CLI. For team environments, particularly in CI, a Service Principal is recommended.
Note: Authenticating using the CLI will not work for Service Principal logins (e.g.,
az login --service-principal
). For such cases, authenticate using the Service Principal method instead.
CLI Authentication
Login to the Azure CLI and Pulumi will automatically use your credentials:
$ az login
The default web browser has been opened at https://login.microsoftonline.com/common/oauth2/authorize. Please continue
the login in the web browser. If no web browser is available or if the web browser fails to open, use device code flow
with `az login --use-device-code`.
Do as instructed to login. After completed, az login
will return and you are ready to go.
Note: If you’re using Government, China, or German Clouds, you’ll need to configure the Azure CLI to work with that cloud. Do so by running
az cloud set --name <Cloud>
, where<Cloud>
is one ofAzureUSGovernment
,AzureChinaCloud
, orAzureGermanCloud
.
The Azure CLI, and thus Pulumi, will use the Default Subscription by default, however it is possible to override the
subscription, by simply setting your subscription ID to the id
output from az account list
’s output:
$ az account list
Pick out the <id>
from the list and run:
$ az account set --subscription=<id>
Service Principal Authentication
A Service Principal is an application in Azure Active Directory with three authorization tokens: a client ID, a client
secret, and a tenant ID. (These are often simply called appId
, password
, and tenant
, respectively.) Using a
Service Principal is the recommended way to connect Pulumi to Azure in a team or CI setting.
Configuring Authorization Tokens
Once the credetials are obtained, there are two ways to communicate your authorization tokens to Pulumi:
Set the environment variables
ARM_CLIENT_ID
,ARM_CLIENT_SECRET
andARM_TENANT_ID
respectivelySet them using configuration
$ pulumi config set azuread:clientId <clientID> $ pulumi config set azuread:clientSecret <clientSecret> --secret $ pulumi config set azuread:tenantId <tenantID>
Creating a Service Principal
To use a Service Principal, you must first create one. This can be done using the Azure CLI, the Azure Cloud Shell, or the Azure Portal. Please refer to the Azure documentation for detailed instructions:
After creating a Service Principal, you will obtain three important tokens, mapping to the three shown earlier:
appId
is the client IDpassword
is the client secrettenant
is the tenant ID
For example, a common Service Principal as displayed by the Azure CLI looks something like this:
{
"appId": "WWWWWWWW-WWWW-WWWW-WWWW-WWWWWWWWWWWW",
"displayName": "ServicePrincipalName",
"name": "http://ServicePrincipalName",
"password": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"tenant": "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
}
You also need to obtain a Subscription ID. To retrieve your current Subscription ID, you can use:
$ az account show --query id -o tsv
To list all available subscriptions, you can use:
$ az account list --query '[].{subscriptionName:name,subscriptionId:id}' -o tsv
The environment variables would then be set as such:
$ export ARM_CLIENT_ID="WWWWWWWW-WWWW-WWWW-WWWW-WWWWWWWWWWWW"
$ export ARM_CLIENT_SECRET="XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
$ export ARM_TENANT_ID="YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
Or configuration variables, if you prefer that they be stored alongside your Pulumi stack for easy multi-user access:
$ pulumi config set azuread:clientId "WWWWWWWW-WWWW-WWWW-WWWW-WWWWWWWWWWWW"
$ pulumi config set azuread:clientSecret "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" --secret
$ pulumi config set azuread:tenantId "YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
Remember to pass --secret
when setting clientSecret
so that it is properly encrypted.