At Spacelift, we’re excited to announce our new fully-managed integration with Azure. This integration makes it even easier for customers to get up and running fast without having to manually manage Azure Service Principal credentials.
In keeping with our tagline “the most flexible management platform for Infrastructure as Code”, and to give you maximum flexibility, you have multiple choices to integrate Spacelift with Azure:
- Using our Azure integration.
- Manually configuring Azure credentials via environment variables.
- Running a private worker, and using a Managed Identity.
Spacelift’s Azure integration is aimed at customers who want a fully managed experience, new customers who want to quickly get up and running, and existing customers who are manually managing their Azure credentials via Spacelift environment variables or contexts.
We recommend that customers who desire more control for security or compliance reasons should continue using private runners.
Spacelift’s Azure integration provides the following features:
- Easily connect to your Azure subscriptions and attach them to your stacks.
- Automatic credential rotation.
- The ability to use granular permissions depending on the action being performed.
Connecting to a subscription
To connect to your Azure subscription, simply add a new Azure integration via your account settings, specifying your Tenant ID and optionally a default subscription ID:
Install the Enterprise Application for the integration into your Azure AD tenant using the Provide Consent button:
Setup your permissions in Azure:
Attach the integration to any Spacelift stacks that require it:
That’s it, you’re now ready for launch!
When you set up an Azure integration in Spacelift, a Service Principal is created in your directory that you can use to manage permissions. We automatically rotate the credentials for this Service Principal roughly every 24 hours while making sure that there is always a valid credential for your stacks to use.
Spacelift’s Azure integration supports granular permissions by allowing you to setup more than one integration per tenant:
Each integration will create a Service Principal in Azure with a unique display name:
You can then assign the relevant permissions to each role in Azure:
And finally attach them to your stack as read or write:
Once you’ve attached both Azure integrations to your stack, Spacelift will automatically use the correct one depending on the phase of the run being executed. This allows you to provide read-only roles to planning runs (for example PRs), while providing write access for deployments.
Find out more
To find out more about the Azure integration, take a look at our documentation available at Spacelift Documentation. You might also be interested in the detailed overview of How we Built a Secure CI/CD Integration with Azure and some of the issues we encountered and solved while designing and developing it.