Service Accounts

Setting up a dedicated service account for your CI/CD tool to access Duplocloud and the underlying cloud.

When using a dedicated security account for pipeline access, you must make it available to the pipelines.

Duplocloud Service Account

To call the DuploCloud API from a job, obtain an API token. A good naming convention is to name it after the brand, so for Github just name the service account github or gitlab for Gitlab.

  1. Create a Service Account user in DuploCloud. Service Account users are usernames that are not an email address, such as github-bot or my-api-user. These users do not log in, but their account owns the API token.

  2. Give the DuploCloud user access to the desired Tenant. See adding Tenant access for a user. You could give admin permissions as well.

  3. Create an API token for that user. See creating API Tokens.

  4. Add a the following repository variables/secrets to the CI/CD environment.

    • DUPLO_HOST The full url to the duplocloud portal

    • DUPLO_TOKEN The API token from step 3

AWS IAM Role

Duplocloud will use the AWS STS to provide credentials during a CI/CD workflow. No extra steps needed. The running job will assume the IAM role associated to the tenant using the duplocloud credentials.

GCP Service Account

  1. Select the project.

  2. In your CI/CD tool, you will save the following two variables. Navigate to the

    1. Create a Secret named CLOUD_CREDENTIALS with the contents pasted from the JSON credentials you downloaded from the Service Account.

    2. Create a Variable named CLOUD_ACCOUNT with the Project ID or Name from GCP.

The JSON Credentials file you download has the following content:

GCP JSON Credentials file
{
  "type": "service_account",
  "project_id": "<project-id>",
  "private_key_id": "<private-key-id>",
  "private_key": "<private-key>",
  "client_email": "<client-email>",
  "client_id": "<client-id>",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "<client-x509-cert-url>"
}

Azure Security Account

Create an Azure Security Account with needed permissions in Azure Entra ID.

The JSON Credential file has the following content:

Azure JSON Credentials file
{
  "clientId": "<client-id>",
  "clientSecret": "<client-secret>",
  "subscriptionId": "<subscription-id>",
  "tenantId": "<tenant-id>"
}

Within your CI/CD tool create the following variables.

  • Create a Secret named CLOUD_CREDENTIALS with the contents pasted from the json credentials you downloaded from the service account

  • Create a Variable named CLOUD_ACCOUNT with the directory name for Azure.

Configure CI/CD Variables

Configure the variables mentioned in the steps above for your specific vendor. Foo Bar.

Documentation guides for getting started using CI/CD with GitHub Actions

Documentation guides for getting started using CI/CD with CircleCI

Documentation guides for getting started using CI/CD with GitLab CI/CD

Documentation guides for getting started with BitBucket Pipelines

Documentation guides for getting started with Azure DevOps

Documentation guides for getting started using CI/CD with Katkit

Last updated

Logo

© DuploCloud, Inc. All rights reserved. DuploCloud trademarks used herein are registered trademarks of DuploCloud and affiliates