Skip to main content

Credentials

Follow the specific cloud and preferred method to create the necessary credentials below:

AWS​

One Click Role

How Massdriver uses your role​

To keep your environment secure, Massdriver uses a role with a trust policy to access your AWS account for provisioning and monitoring of your infrastructure. The account that assumes this role is private and has no access from the public internet.

Click the quick add button​

Enter a friendly name for your AWS role here:

Click here to run a hosted CloudFormation stack on AWS which will create a new role in your account with the permissions required to provision infrastructure in Massdriver. The external ID for the role (required to prevent confused deputy attacks) will be unique and auto-generated in the URL for the CloudFormation stack. Do not change this value in the URL.

Run the CloudFormation stack​

Once you are in your AWS console, review the resource creation. Click the Create stack button to provision the role.

roles

Copy the role ARN to Massdriver​

Once the CloudFormation stack has completed its task, select the outputs tab and copy the value of the CustomProvisioningRoleArn output. Paste the value into the AWS ARN field in the credentials creation form.

roles

Add to the Credential Name field. Click Create to add the credential to Massdriver and head to the projects page to start building your infrastructure.

CLI

How Massdriver uses your role​

To keep your environment secure, Massdriver uses a role with a trust policy to access your AWS account for provisioning and monitoring of your infrastructure. The account that assumes this role is private and has no access from the public internet.

Create a role with a trust policy​

Enter a friendly name for your AWS role here:

Run the following command with the AWS CLI to create an IAM Role with a trust policy (the external ID is unique and auto-generated):

aws iam create-role --role-name= --description="Massdriver Cloud Provisioning Role" --assume-role-policy-document='{"Version":"2012-10-17","Statement":[{"Sid":"MassdriverCloudProvisioner","Effect":"Allow","Principal":{"AWS":["308878630280"]},"Action":"sts:AssumeRole","Condition":{"StringEquals":{ "sts:ExternalId":""}}}]}'

Assign the role administrator privileges​

Run this command to give Massdriver administrator privileges:

aws iam attach-role-policy --role-name= --policy-arn=arn:aws:iam::aws:policy/AdministratorAccess

Import role to Massdriver​

Insert in the Credential Name field. Then set AWS ARN as arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/ and Loading... as the External ID. Click Create and head to the projects page to start building your infrastructure.

Console

How Massdriver uses your role​

To keep your environment secure, Massdriver uses a role with a trust policy to access your AWS account for provisioning and monitoring of your infrastructure. The account that assumes this role is private and has no access from the public internet.

Create a role​

Enter a friendly name for your AWS role here:

  1. Sign in to the AWS Management Console
  2. In the search bar, type IAM and select the IAM service
  3. In the left-hand menu, select Roles
  4. Click Create role

roles

  1. Select Another AWS account for the role type

roles

  1. For the account ID enter 308878630280. This is the Massdriver account which contains the role that will use the one you are creating now
  2. Check the Require external ID box and enter Loading....
  3. Make sure that the Require MFA option is unchecked

roles

  1. Click Next: Permissions
  2. Select the AdministratorAccess policy

roles

  1. Select Next: Tags
  2. Add a tag with the key massdriver

roles

  1. Set Role name to and add a description to the role

roles

  1. Set Credential Name to

  2. Paste the AWS ARN for the role in the AWS ARN field: arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/

  3. Paste Loading... in to the External ID field

  4. Click Create to add the credential to Massdriver and head to the projects page to start building your infrastructure.

Azure​

CLI

Install Azure CLI​

To get started, you'll need the Azure CLI installed locally on your machine. The Azure Cloud Shell available in the Azure Portal does not have the ability to grant the service principal the required permissions.

Enter a friendly name for your Azure service principal here:

  1. Obtain your subscription ID

Paste this script into the command-line to list your subscriptions:

az account list --output table
Paste your Azure subscription ID here:

  1. Paste this script in the command-line to create an Azure service principal:
az ad sp create-for-rbac --name  --role contributor --scopes /subscriptions/
  1. Copy the outputs and paste them into Massdriver:
  • → Credential Name
  • appId → Client ID
  • password → Client Secret
  • → SubscriptionId
  • tenant → Tenant ID

Once finished, click the Create button in Massdriver to create your credential.

Console

Registering the service principal app in Azure AD​

Enter a friendly name for your Azure service principal here:

  1. Sign into your Azure account through the Azure portal
  2. Search for and select Microsoft Entra ID
  3. Select App registration
  4. Select New registration

Massdriver example 1

  1. Name your application:
  2. Select Accounts in this organization directory only
  3. Leave Redirect URI blank

Massdriver example 2

  1. Click Register
  2. In the Overview menu, copy the Application (client) ID
  3. Paste your Azure client ID here:
  4. Copy the Directory (tenant) ID
  5. Paste your Azure tenant ID here:

Massdriver example 3

  1. Select Certificates & secrets on the left
  2. Select New client secret
  3. Set the description to platform, set expiration date, and click Add

Massdriver example 4

  1. Copy the Value password. Do not use the Secret ID
  2. Paste your Azure client secret value here:

Massdriver example 5

Assign subscription Owner the service principal​

  1. In the Azure portal, search for and select Subscription
  2. Select the subscription you want to use in Massdriver
  3. In the Overview menu, copy your Subscription ID
  4. Paste your Azure subscription ID here:
  5. Select Access control (IAM)
  6. Select Add > Add role assignment
  7. Select Privileged Administrator Roles tab and then the Owner role and click Next
  8. Select Select members, search for , click on the service principal, and then click Select at the bottom, then Next
  9. Select Allow user to assign all roles except privileged administrator roles and click Next then Review + assign twice to finish.

Adding the Azure service principal to your Massdriver organization​

  1. In Massdriver, click on the menu on the top left and expand Organization Settings
  2. Click Configure Credentials
  3. Select Azure Service Principal
  4. Fill in the fields as guided below:
  • Credential Name ()
  • Client ID ()
  • Client Secret ()
  • Subscription ID ()
  • Tenant ID ()

Click Create to add the credential to Massdriver and head to the projects page to start building your infrastructure.

GCP​

CLI

Create the service account​

Enter a friendly name for your GCP service account here:

Using GCloud CLI, paste the following command in a terminal to create a service account for Massdriver to use:

gcloud iam service-accounts create  --description="Massdriver Service Account" --display-name=

Assign the service account the owner role​

Paste your GCP project ID here:

Paste the following command to assign the service account the owner role:

gcloud projects add-iam-policy-binding  --member=serviceAccount:@.iam.gserviceaccount.com --role=roles/owner

Create a service account key​

Massdriver needs a service account key to access the GCP API. To create one paste the following command into a terminal:

gcloud iam service-accounts keys create md--key.json --iam-account=@.iam.gserviceaccount.com

Attach the .json file created in the above command in to the Artifact Data field on the form.

Set the Credential Name to and click Create to add the credential to Massdriver. Head to the projects page to start building your infrastructure.

Console

Create a service account​

Enter a friendly name for your GCP service account here:

  1. Log in to the Google Cloud Console and navigate to the IAM/Service Accounts page.

select-iam

  1. Click Create service account

select-iam

  1. Fill in the form with the following details:
  • Service account name:
  • Service account ID:
  • Service account description: Massdriver Service Account (optional)
  1. Click Create and Continue

sa-details

  1. Give your new service account Owner permissions so Massdriver can manage your infrastructure
  2. Click Continue

grant-role

  1. Leave the grant users section blank. Click Done

grant-user

  1. Click the ID of the newly created service account

details-select

  1. Click the Keys tab
  2. Using the add key dropdown, select Create new key

keys-page

  1. Select JSON and click Create

export-key

Attach the .json file created in the above step in to the Artifact Data field on the form.

Set the Credential Name to and click Create to add the credential to Massdriver. Head to the projects page to start building your infrastructure.