You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Clarify OIDC vs. client secret auth guidance in Azure Insights docs (#16329)
This change addresses issue #15812 by clarifying the authentication
options for configuring Pulumi Insights with Azure in the "Before You
Begin" guide.
Root cause:
- The Azure section claimed to use OIDC but then described client secret
authentication, which was confusing for users
- The documentation didn't clearly distinguish between the two auth methods
or explain when to use each
Changes:
- Replaced misleading instructions with clear guidance that presents both
authentication options upfront
- Added explicit recommendation to use OIDC for best practices (passwordless,
more secure, no long-lived credentials)
- Provided correct OIDC ESC configuration example (not client secret)
- Added note directing users to comprehensive accounts documentation for
complete step-by-step instructions on both auth methods
- Ensures consistency with how AWS section references detailed guides
Benefits:
- Users understand OIDC is recommended for Azure authentication
- Clear distinction between OIDC and client secret authentication
- No more misleading instructions claiming to use OIDC while showing secrets
- Directs users to comprehensive documentation for complete setup steps
Fixes#15812
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude <[email protected]>
Copy file name to clipboardExpand all lines: content/docs/insights/discovery/get-started/begin.md
+23-21Lines changed: 23 additions & 21 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -101,37 +101,39 @@ values:
101
101
102
102
{{% choosable cloud azure %}}
103
103
104
-
To configure Pulumi Insights with Azure, you will use [OpenID Connect (OIDC)](/docs/administration/access-identity/oidc/) for authentication. Follow these steps:
104
+
To configure Pulumi Insights with Azure, you can use either OpenID Connect (OIDC) or client secret authentication. **We recommend using OIDC** for passwordless authentication, as it is more secure and eliminates the need to store and manage long-lived credentials.
105
105
106
-
1. Create a Service Principal in Azure, then generate the following values:
107
-
- **clientId** (also called **appId** in the Azure UI)
108
-
- **tenantId**
109
-
- **subscriptionId**
110
-
- **clientSecret** (also called **password** in the Azure UI)
106
+
**Option 1: OIDC authentication (recommended)**
111
107
112
-
Next, go back to Pulumi ESC and configure your cloud credentials and trust relationship you just created:
108
+
1. Create a Microsoft Entra application and configure federated credentials
109
+
1. Assign the appropriate role to your service principal (e.g., Reader role for read-only access)
110
+
1. Configure your ESC environment with OIDC settings
Alternatively, you can use a Service Principal with a client secret. This requires generating a client secret in Azure and storing it securely in ESC.
134
+
133
135
{{< notes type="info" >}}
134
-
For more details on configuring Azure credentials with ESC, refer to [ESC Azure provider documentation](/docs/esc/environments/configuring-oidc/azure/).
136
+
For complete step-by-step instructions on configuring Azure credentials for Pulumi Insights, including detailed setup for both OIDC and client secret authentication, see the [Azure configuration guide](/docs/insights/discovery/accounts/#azure).
0 commit comments