Service Accounts
Setting up a dedicated service account for your CI/CD tool to access Duplocloud and the underlying cloud.
When using a dedicated security account for pipeline access, you must make it available to the pipelines.
Duplocloud Service Account
To call the DuploCloud API from a job, obtain an API token. A good naming convention is to name it after the brand, so for Github just name the service account github
or gitlab
for Gitlab.
Create a Service Account user in DuploCloud. Service Account users are usernames that are not an email address, such as
github-bot
ormy-api-user
. These users do not log in, but their account owns the API token.Give the DuploCloud user access to the desired Tenant. See adding Tenant access for a user. You could give admin permissions as well.
Create an API token for that user. See creating API Tokens.
Add a the following repository variables/secrets to the CI/CD environment.
DUPLO_HOST
The full url to the duplocloud portalDUPLO_TOKEN
The API token from step 3
AWS IAM Role
Duplocloud will use the AWS STS to provide credentials during a CI/CD workflow. No extra steps needed. The running job will assume the IAM role associated to the tenant using the duplocloud credentials.
GCP Service Account
Select the project.
In your CI/CD tool, you will save the following two variables. Navigate to the
Create a Secret named
CLOUD_CREDENTIALS
with the contents pasted from the JSON credentials you downloaded from the Service Account.Create a Variable named
CLOUD_ACCOUNT
with the Project ID or Name from GCP.
The JSON Credentials file you download has the following content:
{
"type": "service_account",
"project_id": "<project-id>",
"private_key_id": "<private-key-id>",
"private_key": "<private-key>",
"client_email": "<client-email>",
"client_id": "<client-id>",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "<client-x509-cert-url>"
}
Azure Security Account
Create an Azure Security Account with needed permissions in Azure Entra ID.
The JSON Credential file has the following content:
{
"clientId": "<client-id>",
"clientSecret": "<client-secret>",
"subscriptionId": "<subscription-id>",
"tenantId": "<tenant-id>"
}
Within your CI/CD tool create the following variables.
Create a Secret named
CLOUD_CREDENTIALS
with the contents pasted from the json credentials you downloaded from the service accountCreate a Variable named
CLOUD_ACCOUNT
with the directory name for Azure.
Configure CI/CD Variables
Configure the variables mentioned in the steps above for your specific vendor. Foo Bar.
Documentation guides for getting started with BitBucket Pipelines
Documentation guides for getting started with Azure DevOps
Last updated
Was this helpful?