Service Accounts

Setting up a dedicated service account for your CI/CD tool to access Duplocloud and the underlying cloud.

When using a dedicated security account for pipeline access, you must make it available to the pipelines.

Duplocloud Service Account

To call the DuploCloud API from a job, obtain an API token. A good naming convention is to name it after the brand, so for Github just name the service account github or gitlab for Gitlab.

  1. Create a Service Account user in DuploCloud. Service Account users are usernames that are not an email address, such as github-bot or my-api-user. These users do not log in, but their account owns the API token.

  2. Give the DuploCloud user access to the desired Tenant. See adding Tenant access for a user. You could give admin permissions as well.

  3. Create an API token for that user. See creating API Tokens.

  4. Add a the following repository variables/secrets to the CI/CD environment.

    • DUPLO_HOST The full url to the duplocloud portal

    • DUPLO_TOKEN The API token from step 3

AWS IAM Role

Duplocloud will use the AWS STS to provide credentials during a CI/CD workflow. No extra steps needed. The running job will assume the IAM role associated to the tenant using the duplocloud credentials.

GCP Service Account

  1. Select the project.

  2. In your CI/CD tool, you will save the following two variables. Navigate to the

    1. Create a Secret named CLOUD_CREDENTIALS with the contents pasted from the JSON credentials you downloaded from the Service Account.

    2. Create a Variable named CLOUD_ACCOUNT with the Project ID or Name from GCP.

The JSON Credentials file you download has the following content:

GCP JSON Credentials file
{
  "type": "service_account",
  "project_id": "<project-id>",
  "private_key_id": "<private-key-id>",
  "private_key": "<private-key>",
  "client_email": "<client-email>",
  "client_id": "<client-id>",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "<client-x509-cert-url>"
}

Azure Security Account

Create an Azure Security Account with needed permissions in Azure Entra ID.

The JSON Credential file has the following content:

Azure JSON Credentials file
{
  "clientId": "<client-id>",
  "clientSecret": "<client-secret>",
  "subscriptionId": "<subscription-id>",
  "tenantId": "<tenant-id>"
}

Within your CI/CD tool create the following variables.

  • Create a Secret named CLOUD_CREDENTIALS with the contents pasted from the json credentials you downloaded from the service account

  • Create a Variable named CLOUD_ACCOUNT with the directory name for Azure.

Configure CI/CD Variables

Configure the variables mentioned in the steps above for your specific vendor. Foo Bar.

Documentation guides for getting started with BitBucket Pipelines

Documentation guides for getting started with Azure DevOps

Last updated

Was this helpful?