If you are using Octopus Deploy to deploy onto Azure the only options you'd find is to use a Service Principal for ARM-based deployments, or a Management Certificate for older ASM deployments.
The use of the Service Principals is deemed as a security risk since you need to store the credentials in your code. We know the problem that Managed Identities for Azure resources solves. A managed identity can be used to authenticate to any service that supports Azure AD authentication without any credentials in your code. If you are unfamiliar with Managed Identities, I would suggest going through our documentation. Unfortunately, this is not an option out of the box, even if your Octopus server or the tentacle agent is running on Azure.
So, is there a way to use Managed Identity to perform secure, no credentials deployment on Azure using Octopus deploy? My colleague Apurva and I started exploring options and, in this blog, we describe our journey to successfully deploying an ARM template using Managed Identities. An Azure VM was used in our example, but this should also be possible if you are running on containers using ACI or AKS.
The first step would be to install PowerShell Core on the VM running your Octopus Server or Tentacle Agent on Azure. We installed PowerShell 7 on this VM. You must then add the az-* module to be able to execute Azure PowerShell commands.
You must then assign a Managed Identity to the VM. You can use a system managed identity or a user managed identity. In the below example we are using System Assigned.
$vm = Get-AzVM -ResourceGroupName myResourceGroup -Name myVM
Update-AzVM -ResourceGroupName myResourceGroup -VM $vm –IdentityType "SystemAssigned"
Once it is assigned, run following command to ensure you can utilize the newly Managed Service Identity (MSI) of the host environment.
Connect-AzAccount -Identity
You should be able to see the subscription details correctly:
Account SubscriptionName TenantId Environment
------- ---------------- -------- -----------
MSI@50342 Subscription1 xxxx-xxxx-xxxx-xxxx AzureCloud
If not, provide subscription access to the managed identity. The managed identity must also have Write permissions on the resource group where the ARM resources are to be deployed.
From within Octopus Deploy, create a step to “Run a script” in your Deployment Process as shown below.
From Configure Options – check the “Powershell Edition” checkbox:
You will also need to set the environment variable to point to pwsh.exe.
Also, select “PowerShell Core” for the edition as shown below:
That’s it. You should now be able to run Azure PowerShell commands from your Octopus Server running in Azure without storing any credentials.
Connect-AzAccount -Identity
New-AzResourceGroupDeployment -ResourceGroupName "xxx-demo-rg" -TemplateUri "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-storage-blob-container/azuredeploy.json" -TemplateParameterObject @{"storageAccountName"="strgacc29052020"}
Apurva Kolhe is a Premier Field Engineer at Microsoft and Suhas Rao is a Cloud Solution Architect at Microsoft, both specializing in the areas of DevOps and PaaS technologies on Azure.
Microsoft
