Deploy Azure Key Vault and Azure Container Registry for Document Signing with Notary

joshduffney

Josh Duffney

Posted on November 2, 2022

Deploy Azure Key Vault and Azure Container Registry for Document Signing with Notary

In this article, you'll deploy an Azure Key Vault and Azure Container Registry instance with Terraform.

Terraform is an infrastructure as code tool that lets you define your infrastructure resources with readable configuration files. You'll use it to deploy the necessary Azure infrastructure that your GitHub workflow depends on for signing container images.

By the end of this article, you'll have deployed all the Azure resources needed to digitally sign container images with Notary.

Create a service principal

Your GitHub workflow and Terraform both need an service principal for authenticating with Azure.

Create a new service principal by running the following az command:

az ad sp create-for-rbac --name notary-gh-sp --role contributor \
--scopes /subscriptions/<subscriptionId> --sdk-auth
Enter fullscreen mode Exit fullscreen mode

Replace subscriptionId with your Azure subscriptions Id.

TIP Store the JSON object in a secure place. You'll use it to create a credential to authenticate to Azure with the Azure Login GitHub Action.

Export Terraform environment variables

One of several ways to pass credentials to Terraform is through environment variables, without these variables Terraform will failed to authenticate to Azure.

Use the following export commands to set the necessary environment variables for the Azure Terraform provider.

export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
export ARM_CLIENT_SECRET="00000000-0000-0000-0000-000000000000"
export ARM_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000"
export ARM_TENANT_ID="00000000-0000-0000-0000-000000000000"
Enter fullscreen mode Exit fullscreen mode

Replace the 00000000 with the values provided in the JSON from the az ad sp create-for-rbac command.

Apply the Terraform configuration

With the service principal created and the environment variable set, you're now ready to apply the Terraform configuration.

  1. Change directories to the terraform folder.

    cd terraform
    
  2. Initialize Terraform

    terraform init
    
  3. Apply the Terraform configuration

    terraform apply
    

    When prompted type yes into the terminal and hit enter.

Terraform apply command

Create an Azure Container Registry Token

Your last task in this tutorial is to create a token that Notation, the command-line tool for Notary, will use to authenticate to the registry when signing images.

Run the following command to create an ACR token:

az acr token create \
--name exampleToken \
--registry <registryName> \
--scope-map _repositories_admin \
--query 'credentials.passwords[0].value' \
--only-show-errors \
--output tsv
Enter fullscreen mode Exit fullscreen mode

TIP Store the password value in a secure place. You'll need to store it as a GitHub secret later in the demo.

💖 💪 🙅 🚩
joshduffney
Josh Duffney

Posted on November 2, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related