Azure deployment with service principal (without blob key)... possible?

I’ve poked around the source to try to figure out how the cloud deployment works & to possibly add this feature but so far coming up empty. I’m currently deploying my site to Azure using the built-in CLI deploy command and injecting the Azure storage blob account name & key as envvars. However, a more secure option is to not use keys, rather use service principals.

I think hugo deploy is using the Aure CLI under the covers for the deployment…

When using account names & keys, the Azure CLI expects both to be either environment variables or passed in as parameters when uploading to the storage container. Appears Hugo does this via environment variables (that’s how I have it working in my GH action).

But if you want to use a service principal, you make the following changes:

  1. login to Azure via the Azure CLI: az login --service-principal --tenant $TENANTID --username $CLIENTID --password $CLIENTSECRET
  2. omit the storage key from the Azure CLI command envvars/arguments, but add the argument --auth-mode login to the Azure CLI storage blob command

So the question… is this possible today but if not, any pointers in the codebase (yes, I’ve checked the /deploy folder and still unclear) where I could create an issue & ultimately PR to contribute?

I haven’t written a line of code in the deploy package, so I suggest you paste this into an issue on GitHub and tag @vangent – he is usually very responsive.

1 Like

Will do… thanks.