I’ve poked around the source to try to figure out how the cloud deployment works & to possibly add this feature but so far coming up empty. I’m currently deploying my site to Azure using the built-in CLI deploy command and injecting the Azure storage blob account name & key as envvars. However, a more secure option is to not use keys, rather use service principals.
I think hugo deploy is using the Aure CLI under the covers for the deployment…
When using account names & keys, the Azure CLI expects both to be either environment variables or passed in as parameters when uploading to the storage container. Appears Hugo does this via environment variables (that’s how I have it working in my GH action).
But if you want to use a service principal, you make the following changes:
- login to Azure via the Azure CLI:
az login --service-principal --tenant $TENANTID --username $CLIENTID --password $CLIENTSECRET - omit the storage key from the Azure CLI command envvars/arguments, but add the argument
--auth-mode loginto the Azure CLI storage blob command
So the question… is this possible today but if not, any pointers in the codebase (yes, I’ve checked the /deploy folder and still unclear) where I could create an issue & ultimately PR to contribute?