Deploy Azure Key Vault and Azure Container Registry for Document Signing with Notary
Josh Duffney
Posted on November 2, 2022
In this article, you'll deploy an Azure Key Vault and Azure Container Registry instance with Terraform.
Terraform is an infrastructure as code tool that lets you define your infrastructure resources with readable configuration files. You'll use it to deploy the necessary Azure infrastructure that your GitHub workflow depends on for signing container images.
By the end of this article, you'll have deployed all the Azure resources needed to digitally sign container images with Notary.
Create a service principal
Your GitHub workflow and Terraform both need an service principal for authenticating with Azure.
Create a new service principal by running the following az
command:
az ad sp create-for-rbac --name notary-gh-sp --role contributor \
--scopes /subscriptions/<subscriptionId> --sdk-auth
Replace subscriptionId
with your Azure subscriptions Id.
TIP Store the JSON object in a secure place. You'll use it to create a credential to authenticate to Azure with the Azure Login GitHub Action.
Export Terraform environment variables
One of several ways to pass credentials to Terraform is through environment variables, without these variables Terraform will failed to authenticate to Azure.
Use the following export
commands to set the necessary environment variables for the Azure Terraform provider.
export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000"
export ARM_CLIENT_SECRET="00000000-0000-0000-0000-000000000000"
export ARM_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000"
export ARM_TENANT_ID="00000000-0000-0000-0000-000000000000"
Replace the 00000000
with the values provided in the JSON from the az ad sp create-for-rbac
command.
Apply the Terraform configuration
With the service principal created and the environment variable set, you're now ready to apply the Terraform configuration.
-
Change directories to the
terraform
folder.
cd terraform
-
Initialize Terraform
terraform init
-
Apply the Terraform configuration
terraform apply
When prompted type
yes
into the terminal and hit enter.
Create an Azure Container Registry Token
Your last task in this tutorial is to create a token that Notation, the command-line tool for Notary, will use to authenticate to the registry when signing images.
Run the following command to create an ACR token:
az acr token create \
--name exampleToken \
--registry <registryName> \
--scope-map _repositories_admin \
--query 'credentials.passwords[0].value' \
--only-show-errors \
--output tsv
TIP Store the password value in a secure place. You'll need to store it as a GitHub secret later in the demo.
Posted on November 2, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 2, 2022