Service Accounts

Setting up a dedicated service account for your CI/CD tool to access Duplocloud and the underlying cloud.

PreviousCI/CD Overview NextGitHub Actions

Last updated 1 year ago

Was this helpful?

Service Accounts

Setting up a dedicated service account for your CI/CD tool to access Duplocloud and the underlying cloud.

When using a dedicated security account for pipeline access, you must make it available to the pipelines.

Duplocloud Service Account

To call the DuploCloud API from a job, obtain an . A good naming convention is to name it after the brand, so for Github just name the service account github or gitlab for Gitlab.

. Service Account users are usernames that are not an email address, such as github-bot or my-api-user. These users do not log in, but their account owns the API token.
Give the DuploCloud user access to the desired Tenant. See . You could give admin permissions as well.
Create an API token for that user. See .
Add a the following repository variables/secrets to the CI/CD environment.
- DUPLO_HOST The full url to the duplocloud portal
- DUPLO_TOKEN The API token from step 3

AWS IAM Role

Duplocloud will use the AWS STS to provide credentials during a CI/CD workflow. No extra steps needed. The running job will assume the IAM role associated to the tenant using the duplocloud credentials.

GCP Service Account

.
Select the project.
.
In your CI/CD tool, you will save the following two variables. Navigate to the
1. Create a Secret named CLOUD_CREDENTIALS with the contents pasted from the JSON credentials you downloaded from the Service Account.
2. Create a Variable named CLOUD_ACCOUNT with the Project ID or Name from GCP.

The JSON Credentials file you download has the following content:

GCP JSON Credentials file

{
  "type": "service_account",
  "project_id": "<project-id>",
  "private_key_id": "<private-key-id>",
  "private_key": "<private-key>",
  "client_email": "<client-email>",
  "client_id": "<client-id>",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "<client-x509-cert-url>"
}

Azure Security Account

Create an Azure Security Account with needed permissions in Azure Entra ID.

The JSON Credential file has the following content:

Azure JSON Credentials file

{
  "clientId": "<client-id>",
  "clientSecret": "<client-secret>",
  "subscriptionId": "<subscription-id>",
  "tenantId": "<tenant-id>"
}

Within your CI/CD tool create the following variables.

Create a Secret named CLOUD_CREDENTIALS with the contents pasted from the json credentials you downloaded from the service account
Create a Variable named CLOUD_ACCOUNT with the directory name for Azure.

Configure CI/CD Variables

Configure the variables mentioned in the steps above for your specific vendor. Foo Bar.