You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
refactor: remove all token injection from manual identity guides
Manual guide markdown files are now fully static with generic
'for each environment' instructions. No more dynamic rendering —
the identity-guide-service just returns the template content as-is.
This makes the guides easier to maintain.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
`- **${env}** — assign **Reader** on the resource group you will store in \`APIM_RESOURCE_GROUP_${env.toUpperCase()}\`, then assign **API Management Service Contributor** on the APIM instance you will store in \`APIM_SERVICE_NAME_${env.toUpperCase()}\`.`
Copy file name to clipboardExpand all lines: src/templates/identity/identity-guide-azure-devops.md
+13-13Lines changed: 13 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -55,31 +55,31 @@ Use **Access control (IAM)** on each resource group and APIM instance to create
55
55
56
56
> 📖 [Create an Azure Resource Manager service connection using workload identity federation](https://learn.microsoft.com/azure/devops/pipelines/library/connect-to-azure)
57
57
58
+
For each environment, do the following steps:
59
+
58
60
1. In **Azure DevOps**, open **Project settings** → **Service connections** → **New service connection**.
59
61
2. Choose **Azure Resource Manager**.
60
62
3. Select **Workload identity federation**.
61
63
4. Use the app registration from Step 2.
62
-
5. Create one service connection per environment using the exact names below unless you also plan to edit the generated pipeline YAML and variable-group values:
63
-
64
-
| Environment | Required service connection name | Scope guidance |
65
-
|---|---|---|
66
-
{{SERVICE_CONNECTION_ROWS}}
67
-
64
+
5. Name the service connection `AZURE_SERVICE_CONNECTION_<ENV>` (replace `<ENV>` with the upper-case environment name) unless you plan to edit the generated pipeline YAML.
68
65
6. Complete the validation flow in Azure DevOps so the service connection can issue the issuer and subject values required for federation.
69
66
7. If Azure DevOps asks you to finish the federated credential in Azure, follow the linked experience or copy the issuer/subject into the app registration's **Federated credentials** blade in the Azure portal.
70
67
71
68
## Step 5: Create variable groups in Azure DevOps
72
69
73
70
> 📖 [Add and use variable groups in Azure Pipelines](https://learn.microsoft.com/azure/devops/pipelines/library/variable-groups)
74
71
75
-
1. Go to **Pipelines** → **Library** → **+ Variable group**.
76
-
2. Create one variable group per environment:
77
-
78
-
| Environment | Variable group name | Required variables |
79
-
|---|---|---|
80
-
{{VARIABLE_GROUP_ROWS}}
72
+
For each environment, do the following steps:
81
73
82
-
3. Include both the non-suffixed variables used by the extractor pipeline and the environment-suffixed APIM variables used by the publish pipeline.
74
+
1. Go to **Pipelines** → **Library** → **+ Variable group**.
75
+
2. Name the variable group `apim-<environment>` (e.g. `apim-dev`, `apim-prod`).
76
+
3. Add the following variables:
77
+
-`AZURE_SERVICE_CONNECTION` — the service connection name from Step 4
78
+
-`AZURE_SUBSCRIPTION_ID` — the Azure subscription ID for that environment
79
+
-`APIM_RESOURCE_GROUP` — the resource group containing the APIM instance
80
+
-`APIM_SERVICE_NAME` — the APIM service name
81
+
-`APIM_RESOURCE_GROUP_<ENV>` — same value, upper-case environment suffix (used by the publish pipeline)
82
+
-`APIM_SERVICE_NAME_<ENV>` — same value, upper-case environment suffix (used by the publish pipeline)
83
83
4. Authorize each variable group for pipeline use when Azure DevOps prompts you.
84
84
85
85
## Step 6: Create Azure DevOps environments and approvals
Copy file name to clipboardExpand all lines: src/templates/identity/identity-guide-github-actions.md
+15-15Lines changed: 15 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,8 +6,7 @@
6
6
7
7
## Before you start
8
8
9
-
- Azure subscription: `{{SUBSCRIPTION_ID}}`
10
-
- Resource group containing an APIM instance: `{{RESOURCE_GROUP}}`
9
+
- An Azure subscription with an API Management instance
11
10
- GitHub repository admin access
12
11
- Permission in Microsoft Entra ID to create or manage app registrations
13
12
@@ -44,11 +43,12 @@ Helpful documentation:
44
43
45
44
> 📖 [Assign Azure roles using the Azure portal](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal)
46
45
47
-
1. In the **Azure portal**, open your API Management service.
46
+
For each environment, do the following steps:
47
+
48
+
1. In the **Azure portal**, open the resource group that contains the APIM instance for that environment.
48
49
2. Go to **Access control (IAM)** → **Add role assignment**.
49
-
3. For every environment configured by `apiops init`, assign access to the app registration or service principal:
50
-
{{ENVIRONMENT_AZURE_ACCESS_NOTES}}
51
-
4. If you are starting with a single shared APIM resource in resource group `{{RESOURCE_GROUP}}` and subscription `{{SUBSCRIPTION_ID}}`, those placeholders are the first values to replace.
50
+
3. Assign **Reader** on the resource group to the app registration.
51
+
4. Open the APIM service itself and assign **API Management Service Contributor** to the app registration.
52
52
5. Wait a few minutes for RBAC changes to propagate before you test the workflow.
53
53
54
54
## Step 4: Add federated credentials in Azure portal
@@ -64,18 +64,17 @@ Helpful documentation:
64
64
-**Entity type**: **Branch**
65
65
-**Branch name**: `main`
66
66
-**Credential name**: `github-main-branch`
67
-
4. Add one credential for each GitHub environment used by publish workflows:
68
-
69
-
| GitHub environment | Suggested credential name | Subject value |
70
-
|---|---|---|
71
-
{{FEDERATED_CREDENTIAL_ROWS}}
67
+
4. For each environment, add one additional federated credential:
68
+
-**Entity type**: **Environment**
69
+
-**Environment name**: the GitHub environment name (must match what you create in Step 5)
70
+
-**Credential name**: `github-env-<environment>`
72
71
73
72
## Step 5: Create GitHub environments in the web UI
74
73
75
74
> 📖 [Using environments for deployment](https://docs.github.com/actions/deployment/targeting-different-environments/using-environments-for-deployment)
76
75
77
76
1. In GitHub, go to **Settings** → **Environments**.
78
-
2.Create an environment for each deployment target used by`apiops init`.
77
+
2.For each environment, create a GitHub environment with the same name used during`apiops init`.
79
78
3. Add protection rules such as required reviewers for production environments if your process needs approvals.
80
79
81
80
## Step 6: Add repository and environment secrets in GitHub
@@ -86,9 +85,10 @@ Helpful documentation:
86
85
2. Under **Repository secrets**, create:
87
86
-`AZURE_CLIENT_ID` — the Application (client) ID from the app registration
88
87
-`AZURE_TENANT_ID` — the Directory (tenant) ID from the app registration
89
-
3. Then configure the environment secrets below:
90
-
91
-
{{ENVIRONMENT_SECRET_SECTIONS}}
88
+
3. For each environment, add the following **environment secrets**:
89
+
-`AZURE_SUBSCRIPTION_ID` — the Azure subscription ID for that environment
90
+
-`APIM_RESOURCE_GROUP_<ENV>` — the resource group containing the APIM instance (replace `<ENV>` with the upper-case environment name)
91
+
-`APIM_SERVICE_NAME_<ENV>` — the APIM service name (replace `<ENV>` with the upper-case environment name)
0 commit comments