How to get `deployment_token` using CLI or ARM template?

Azure / static-web-apps

Azure Static Web Apps. For bugs and feature requests, please create an issue in this repo. For community discussions, latest updates, kindly refer to the Discussions Tab. To know what's new in Static Web Apps, visit https://aka.ms/swa/ThisMonth

https://aka.ms/swa

MIT License

324 stars 56 forks source link

How to get `deployment_token` using CLI or ARM template? #444

Closed mauve closed 2 years ago

mauve commented 3 years ago

To automate stage setup and deployment I would like to be able to get the deployment_token using the CLI so that I can acquire the token in my pipeline before I deploy from Azure DevOps.

I couldn't find a way to do that.

Even better of course would be if I could just use my AAD credentials instead of a special credential to do my deployments.

anthonychu commented 3 years ago

There’s no Azure CLI command for token management yet but it’s tracked here and you can see the az rest command that you can use for now to retrieve the token: https://github.com/Azure/azure-cli/issues/16470#issue-782483120

The request for authenticating using service principal is here but not something we have committed to add yet: #312

ebuzyuma commented 3 years ago

As for ARM templates, I managed to get it like this:

    "variables": {
        "resourceId": "[resourceId('Microsoft.Web/staticSites/', parameters('webAppName'))]"
    },

    "outputs": {
        "deploymentToken": {
            "type": "string",
            "value": "[listSecrets(variables('resourceId'), '2019-08-01').properties.apiKey]"
        }
    }

MPapst commented 2 years ago

Found this through google. az staticwebapp secrets list is working in az cli 2.30.0

LayZeeDK commented 2 years ago

@ebuzyuma According to Bicep lint rule outputs-should-not-contain-secrets, outputting sensitive data is a bad idea:

Don't include any values in an output that could potentially expose secrets. For example, secure parameters of type secureString or secureObject, or list* functions such as listKeys. The output from a template is stored in the deployment history, so a malicious user could find that information.

johnnyreilly commented 2 years ago

Here's an example pipeline that acquires the secrets used for deployment; https://johnnyreilly.com/azure-static-web-app-deploy-previews-with-azure-devops#azure-pipelines-tweaks

Reshmi-Sriram commented 2 years ago

Hey all, as @MPapst has mentioned above, we can officially get the deployment token now from the AZ CLI using az staticwebapp secrets list. For more information, check out the official documentation. Closing this issue.

austincrft commented 11 months ago

you can also get this with the Az.Websites powershell module

$secrets = Get-AzStaticWebAppSecret -ResourceGroupName foo -Name $appServiceName
$apiKey = (ConvertFrom-Json $secrets.ToJsonString()).properties.apiKey

AdamPrendergast commented 6 months ago

Amazing... thanks @austincrft

Feels like the Powershell option should be added to the docs here: https://learn.microsoft.com/en-us/azure/static-web-apps/static-web-apps-cli-deploy