Introducing the Spacelift Azure Integration!

Spacelift Azure integration

At Spacelift, we’re excited to announce our new fully-managed integration with Azure. This integration makes it even easier for customers to get up and running fast without having to manually manage Azure Service Principal credentials.

Target Audience

In keeping with our tagline “the most flexible management platform for Infrastructure as Code”, and to give you maximum flexibility, you have multiple choices to integrate Spacelift with Azure:

Spacelift’s Azure integration is aimed at customers who want a fully managed experience, new customers who want to quickly get up and running, and existing customers who are manually managing their Azure credentials via Spacelift environment variables or contexts.

We recommend that customers who desire more control for security or compliance reasons should continue using private runners.

Features

Spacelift’s Azure integration provides the following features:

  • Easily connect to your Azure subscriptions and attach them to your stacks.
  • Automatic credential rotation.
  • The ability to use granular permissions depending on the action being performed.

Connecting to a subscription

To connect to your Azure subscription, simply add a new Azure integration via your account settings, specifying your Tenant ID and optionally a default subscription ID:

Introducing the Spacelift Azure Integration

Install the Enterprise Application for the integration into your Azure AD tenant using the Provide Consent button:

Introducing the Spacelift Azure Integration

Setup your permissions in Azure:

Introducing the Spacelift Azure Integration

Attach the integration to any Spacelift stacks that require it:

Introducing the Spacelift Azure Integration

That’s it, you’re now ready for launch!

Credential Rotation

When you set up an Azure integration in Spacelift, a Service Principal is created in your directory that you can use to manage permissions. We automatically rotate the credentials for this Service Principal roughly every 24 hours while making sure that there is always a valid credential for your stacks to use.

Granular Permissions

Spacelift’s Azure integration supports granular permissions by allowing you to setup more than one integration per tenant:

Introducing the Spacelift Azure Integration

Each integration will create a Service Principal in Azure with a unique display name:

Introducing the Spacelift Azure Integration

You can then assign the relevant permissions to each role in Azure:

Introducing the Spacelift Azure Integration

And finally attach them to your stack as read or write:

Introducing the Spacelift Azure Integration

Once you’ve attached both Azure integrations to your stack, Spacelift will automatically use the correct one depending on the phase of the run being executed. This allows you to provide read-only roles to planning runs (for example PRs), while providing write access for deployments.

Find out more

To find out more about the Azure integration, take a look at our documentation available at Spacelift Documentation. You might also be interested in the detailed overview of How we Built a Secure CI/CD Integration with Azure and some of the issues we encountered and solved while designing and developing it. 

Share this post

twitter logo