|
| 1 | +--- |
| 2 | +title: Azure Spring Cloud GitHub Actions using Key Vault |
| 3 | +description: How to use key vault with CI/CD workflow for Azure Spring Cloud with GitHub Actions |
| 4 | +author: MikeDodaro |
| 5 | +ms.author: barbkess |
| 6 | +ms.service: spring-cloud |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 01/20/2019 |
| 9 | +--- |
| 10 | +# GitHub Spring Cloud actions using key vault |
| 11 | +Key Vault is a secure place to store keys. Enterprise users need to store credentials for CI/CD environments in scope that they control. The key to get credentials in the key vault should be limited to resource scope. The key to get credentials only has access to the key vault scope, not the entire Azure scope. It's like a key that can only open a strongbox not a master key that can open all doors in a building. It is a way to get a key with another key, but useful in a CICD workflow. |
| 12 | + |
| 13 | +## Generate Credential to Access to Key Vault |
| 14 | +To generate the key to open the strongbox, execute command below on you local machine: |
| 15 | +``` |
| 16 | +az ad sp create-for-rbac --role contributor --scopes /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP>/providers/Microsoft.KeyVault/vaults/<KEY_VAULT> --sdk-auth |
| 17 | +``` |
| 18 | +Note the scope specified by the `--scopes` parameter, which limits the key access to the resource. It can only access the strongbox. |
| 19 | + |
| 20 | +With results: |
| 21 | +``` |
| 22 | +{ |
| 23 | + "clientId": "<GUID>", |
| 24 | + "clientSecret": "<GUID>", |
| 25 | + "subscriptionId": "<GUID>", |
| 26 | + "tenantId": "<GUID>", |
| 27 | + "activeDirectoryEndpointUrl": "https://login.microsoftonline.com", |
| 28 | + "resourceManagerEndpointUrl": "https://management.azure.com/", |
| 29 | + "activeDirectoryGraphResourceId": "https://graph.windows.net/", |
| 30 | + "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/", |
| 31 | + "galleryEndpointUrl": "https://gallery.azure.com/", |
| 32 | + "managementEndpointUrl": "https://management.core.windows.net/" |
| 33 | +} |
| 34 | +``` |
| 35 | +Then save the results to GitHub **secrets** as described in[Set up your GitHub repository and authenticate with Azure](./spring-cloud-howto-github-actions.md#set-up-your-github-repository-and-authenticate-with-azure). |
| 36 | + |
| 37 | +## Add Access Policies for the Credential |
| 38 | +The credential created above can only get general information about the Key Vault, not the contents it stores. To get secrets stored in the Key Vault, you need set access policies for the credential. |
| 39 | + |
| 40 | +Go to the **Key Vault** dashboard in Azure Portal, click the **Access control** menu, then open the **Role assignments** tab. Select **Apps** for **Type**, `This resource` for **scope**. You should see the credential you created in previous step: |
| 41 | + |
| 42 | +  |
| 43 | + |
| 44 | +Copy the credential name, for example, `azure-cli-2020-01-19-04-39-02`. Open the **Access policies** menu, click +Add Access Policy link. Select `Secret Management` for **Template**, then select **Principal**. Paste the credential name in **Principal**/**Select** input box: |
| 45 | + |
| 46 | +  |
| 47 | + |
| 48 | + Click the Add button in the **Add access policy** dialog, then click **Save**. |
| 49 | + |
| 50 | +## Generate full-scope Azure Credential |
| 51 | +This is the master key to open all doors in the building. The procedure is similar to the first step, but now we change the scope to generate the master key: |
| 52 | + |
| 53 | +``` |
| 54 | +az ad sp create-for-rbac --role contributor --scopes /subscriptions/<SUBSCRIPTION_ID> --sdk-auth |
| 55 | +``` |
| 56 | + |
| 57 | +Again, results: |
| 58 | +``` |
| 59 | +{ |
| 60 | + "clientId": "<GUID>", |
| 61 | + "clientSecret": "<GUID>", |
| 62 | + "subscriptionId": "<GUID>", |
| 63 | + "tenantId": "<GUID>", |
| 64 | + "activeDirectoryEndpointUrl": "https://login.microsoftonline.com", |
| 65 | + "resourceManagerEndpointUrl": "https://management.azure.com/", |
| 66 | + "activeDirectoryGraphResourceId": "https://graph.windows.net/", |
| 67 | + "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/", |
| 68 | + "galleryEndpointUrl": "https://gallery.azure.com/", |
| 69 | + "managementEndpointUrl": "https://management.core.windows.net/" |
| 70 | +} |
| 71 | +``` |
| 72 | +Copy the entire JSON string. Bo back to **Key Vault** dashboard. Open the **Secrets** menu, then click the **Generate/Import** button. Input the secret name, such as `AZURE-CRENDENTIALS-FOR-SPRING`. Paste the JSON credential string to the **Value** input box. You may notice the value input box is a one-line text feild, rather then a multi-line text area. You can paste the complete JSON string there. |
| 73 | + |
| 74 | +  |
| 75 | + |
| 76 | +## Combine all credentials in GitHub Actions |
| 77 | +Set the credentials used when the CICD pipeline executes: |
| 78 | + |
| 79 | +``` |
| 80 | +on: [push] |
| 81 | +
|
| 82 | +jobs: |
| 83 | + build: |
| 84 | + runs-on: ubuntu-latest |
| 85 | + steps: |
| 86 | + - uses: azure/login@v1 |
| 87 | + with: |
| 88 | + creds: ${{ secrets.AZURE_CREDENTIALS }} # Strongbox key you generated in the first step |
| 89 | + |
| 90 | + with: |
| 91 | + keyvault: "zlhe-test" |
| 92 | + secrets: "AZURE-CREDENTIALS-FOR-SPRING" # Master key to open all doors in the building |
| 93 | + id: keyvaultaction |
| 94 | + - uses: azure/login@v1 |
| 95 | + with: |
| 96 | + creds: ${{ steps.keyvaultaction.outputs.AZURE-CREDENTIALS-FOR-SPRING }} |
| 97 | + - name: Azure CLI script |
| 98 | + uses: azure/CLI@v1 |
| 99 | + with: |
| 100 | + azcliversion: 2.0.75 |
| 101 | + inlineScript: | |
| 102 | + az extension add --name spring-cloud # Spring CLI commands from here |
| 103 | + az spring-cloud list |
| 104 | +
|
| 105 | +``` |
| 106 | + |
| 107 | +## Next steps |
| 108 | +* [Spring Cloud GitHub Actions](./spring-cloud-howto-github-actions.md) |
0 commit comments