Azure Plugins for Porter
This is a set of Azure plugins for Porter.
Install
The plugin is distributed as a single binary, azure
. The following snippet will clone this repository, build the binary
and install it to ~/.porter/plugins/.
go get get.porter.sh/plugin/azure/cmd/azure
cd $(go env GOPATH)/src/get.porter.sh/plugin/azure
make build install
After installing the plugin, you must modify your porter configuration file and select which plugin you want to use.
Storage
Storage plugins allow Porter to store data, such as claims, parameters and credentials, in Azure's cloud.
Blob
The azure.blob
plugin stores data in Azure Blob Storage.
Table
The azure.table
plugin stores data in Azure Table Storage.
The plugin requires a storage account name and storage account key. This can be provided as a connection string in an environment variable or can be looked up at run time if the user is logged in with the Azure CLI.
- Create a storage account
- Create a container named
porter
.
- Open, or create,
~/.porter/config.toml
.
To use a connection string
-
Add the following line to activate the Azure blob storage plugin:
default-storage-plugin = "azure.blob"
-
Or add the following line to activate the Azure table storage plugin:
default-storage-plugin = "azure.table"
Copy the connection string for the storage account. Then set it as an environment variable named
AZURE_STORAGE_CONNECTION_STRING
.
Use the Azure CLI
-
Add the following lines to activate the Azure blob storage plugin and configure storage account details:
default-storage = "azurestorage"
[[storage]]
name = "azurestorage"
plugin = "azure.blob"
[storage.config]
account="storage account name"
resource-group="storage account resource group"
-
For Azure Table storage set the plugin to azure.table
:
[[storage]]
name = "azurestorage"
plugin = "azure.table"
If the machine you are using is already logged in with the Azure CLI, then the same security context will be used to lookup the keys for the storage account. By default it will use the current subscription (the one returned by the command az account show
). To set the subscription explicitly add the following line to the [storage.config]
.
subscription-id="storage account subscription id"
Secrets
Secrets plugins allow Porter to inject secrets into credential or parameter sets.
For example, if your team has a shared key vault with a database password, you
can use the keyvault plugin to inject it as a credential or parameter when you install a bundle.
Key Vault
The azure.keyvault
plugin resolves credentials or parameters against secrets in Azure Key Vault.
-
Open, or create, ~/.porter/config.toml
-
Add the following lines to activate the Azure keyvault secrets plugin:
default-secrets = "mysecrets"
[[secrets]]
name = "mysecrets"
plugin = "azure.keyvault"
[secrets.config]
vault = "myvault"
-
Create a key vault and set the vault name in the config with name of the vault.
Storage and Secrets combined
When both storage and secrets are configured, be sure to place the default-*
stanzas
at the top of the file, like so:
default-storage = "azurestorage"
default-secrets = "mysecrets"
[[storage]]
name = "azurestorage"
plugin = "azure.blob"
[storage.config]
account="storage account name"
resource-group="storage account resource group"
[[secrets]]
name = "mysecrets"
plugin = "azure.keyvault"
[secrets.config]
vault = "myvault"
Otherwise, Porter won't be able to parse the configuration correctly.
Authentication
Authentication to Azure can use any of the following methods. Whichever mechanism is used, the principal that is used to access key vault needs to be granted at least Get and List secret permissions on the vault. However, if you authenticate using the Azure CLI and are logged in with the account that created the key vault in the portal then you will already have this permission.
-
Azure CLI. - By default if the machine you are using is already logged in with the Azure CLI then the same security context will be used for the azure.keyvault
plugin without any additional configuration.
-
Use a service principal (azure portal ) and an application secret (azure portal or azure cli). - Use the service principal details to set the environment variables AZURE_TENANT_ID
and AZURE_CLIENT_ID
. Then set the environment variable AZURE_CLIENT_SECRET
using the application secret .
-
Use a service principal (azure portal) and a certificate (azure portal or azure cli). - Use the service principal details to set the environment variables AZURE_TENANT_ID
and AZURE_CLIENT_ID
. Then using the certificate file path and password set the environment variables AZURE_CERTIFICATE_PATH
and AZURE_CERTIFICATE_PASSWORD
.
-
Username and Password - Log in with user name and password. Set the environment variables AZURE_USERNAME
and AZURE_PASSWORD
. This doesn't work with Microsoft accounts or accounts that have two-factor authentication enabled.