Credentials

Follow the specific cloud and preferred method to create the necessary credentials below:

AWS

One Click Role

How Massdriver uses your role

To keep your environment secure, Massdriver uses a role with a trust policy to access your AWS account for provisioning and monitoring of your infrastructure. The account that assumes this role is private and has no access from the public internet.

One click role creation

Enter a friendly name for your AWS role here:

Click here to run a hosted CloudFormation stack on AWS which will create a new role in your account with the permissions required to provision infrastructure in Massdriver. The external ID for the role (required to prevent confused deputy attacks) will be unique and auto-generated in the URL for the CloudFormation stack. Do not change this value in the URL.

Run the CloudFormation stack

Once you are in your AWS console, review the resource creation. Click the Create stack button to provision the role.

Import rol to Massdriver

Once the CloudFormation stack has completed its task, select the outputs tab and copy the value of the CustomProvisioningRoleArn output.

• Paste the ARN into the AWS ARN field.
• Set as the Credential Name.
• Set Loading... as the External ID.

Click Create to add the credential to Massdriver and head to the projects page to start building your infrastructure.

AWS CLI

How Massdriver uses your role

To keep your environment secure, Massdriver uses a role with a trust policy to access your AWS account for provisioning and monitoring of your infrastructure. The account that assumes this role is private and has no access from the public internet.

Create a role with a trust policy

Enter a friendly name for your AWS role here:

Run the following command with the AWS CLI to create an IAM Role with a trust policy (the external ID is unique and auto-generated):

aws iam create-role --role-name= --description="Massdriver Cloud Provisioning Role" --assume-role-policy-document='{"Version":"2012-10-17","Statement":[{"Sid":"MassdriverCloudProvisioner","Effect":"Allow","Principal":{"AWS":["308878630280"]},"Action":"sts:AssumeRole","Condition":{"StringEquals":{ "sts:ExternalId":""}}}]}'
  

Assign the role administrator privileges

Run this command to give Massdriver administrator privileges:

aws iam attach-role-policy --role-name= --policy-arn=arn:aws:iam::aws:policy/AdministratorAccess

Import role to Massdriver

• Set in the Credential Name field.
• Set arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/ as AWS ARN.
• Set Loading... as the External ID.

Click Create and head to the projects page to start building your infrastructure.

AWS Console

How Massdriver uses your role

To keep your environment secure, Massdriver uses a role with a trust policy to access your AWS account for provisioning and monitoring of your infrastructure. The account that assumes this role is private and has no access from the public internet.

Create a role

Enter a friendly name for your AWS role here:

1. Sign in to the AWS Management Console
2. In the search bar, type IAM and select the IAM service
3. In the left-hand menu, select Roles
4. Click Create role

5. Select Another AWS account for the role type

6. For the account ID enter 308878630280. This is the Massdriver account which contains the role that will use the one you are creating now
7. Check the Require external ID box and enter Loading....
8. Make sure that the Require MFA option is unchecked

9. Click Next: Permissions
10. Select the AdministratorAccess policy

11. Select Next: Tags
12. Add a tag with the key massdriver

13. Set Role name to and add a description to the role

14. Set Credential Name to

15. Paste the AWS ARN for the role in the AWS ARN field: arn:aws:iam::YOUR_AWS_ACCOUNT_ID:role/

16. Paste Loading... in to the External ID field

17. Click Create to add the credential to Massdriver and head to the projects page to start building your infrastructure.

Azure

Azure CLI

Install Azure CLI

To get started, you'll need the Azure CLI installed locally on your machine. The Azure Cloud Shell available in the Azure Portal does not have the ability to grant the service principal the required permissions.

Enter a friendly name for your Azure service principal here:

1. Obtain your subscription ID

Paste this script into the command-line to list your subscriptions:

az account list --output table

Enter your Azure subscription ID here:

2. Paste this script in the command-line to create an Azure service principal:

az ad sp create-for-rbac --name  --role contributor --scopes /subscriptions/

3. Copy the outputs and paste them into Massdriver:

• → Credential Name
• appId → Client ID
• password → Client Secret
• → SubscriptionId
• tenant → Tenant ID

Once finished, click the Create button in Massdriver to create your credential.

Azure Portal

Registering the service principal app in Azure AD

Enter a friendly name for your Azure service principal here:

1. Sign into your Azure account through the Azure portal
2. Search for and select Microsoft Entra ID
3. Select App registration
4. Select New registration

5. Name your application:
6. Select Accounts in this organization directory only
7. Leave Redirect URI blank

8. Click Register
9. In the Overview menu, copy the Application (client) ID
10. Enter your Azure service principal client ID here:
    
    
11. Copy the Directory (tenant) ID
12. Enter your Azure tenant ID here:
    
    

13. Select Certificates & secrets on the left
14. Select New client secret
15. Set the description to platform, set expiration date, and click Add

16. Copy the Value password. Do not use the Secret ID
17. Enter your Azure service principal client secret here:
    
    

Assign subscription Owner the service principal

1. In the Azure portal, search for and select Subscription
2. Select the subscription you want to use in Massdriver
3. In the Overview menu, copy your Subscription ID
4. Enter your Azure subscription ID here:
   
   
5. Select Access control (IAM)
6. Select Add > Add role assignment
7. Select Privileged Administrator Roles tab and then the Owner role and click Next
8. Select Select members, search for , click on the service principal, and then click Select at the bottom, then Next
9. Select Allow user to assign all roles except privileged administrator roles and click Next then Review + assign twice to finish.

Adding the Azure service principal to your Massdriver organization

1. In Massdriver, click on the menu on the top left and expand Organization Settings
2. Click Configure Credentials
3. Select Azure Service Principal
4. Fill in the fields as guided below:

• Credential Name ()
• Client ID ()
• Client Secret ()
• Subscription ID ()
• Tenant ID ()

Click Create to add the credential to Massdriver and head to the projects page to start building your infrastructure.

GCP

gcloud CLI

Create the service account

Enter a friendly name for your GCP service account here:

Using gcloud CLI, paste the following command in a terminal to create a service account for Massdriver to use:

gcloud iam service-accounts create  --description="Massdriver Service Account" --display-name=

Assign the service account the owner role

Enter your GCP project ID here:

Paste the following command to assign the service account the owner role:

gcloud projects add-iam-policy-binding  --member=serviceAccount:@.iam.gserviceaccount.com --role=roles/owner

Create a service account key

Massdriver needs a service account key to access the GCP API. To create one paste the following command into a terminal:

gcloud iam service-accounts keys create md--key.json --iam-account=@.iam.gserviceaccount.com

Attach the .json file created in the above command in to the Artifact Data field on the form.

Set the Credential Name to and click Create to add the credential to Massdriver. Head to the projects page to start building your infrastructure.

Google Cloud Console

Create a service account

Enter a friendly name for your GCP service account here:

1. Log in to the Google Cloud Console and navigate to the IAM/Service Accounts page.

2. Click Create service account

3. Fill in the form with the following details:

• Service account name:
• Service account ID:
• Service account description: Massdriver Service Account (optional)

4. Click Create and Continue

5. Give your new service account Owner permissions so Massdriver can manage your infrastructure
6. Click Continue

7. Leave the grant users section blank. Click Done

8. Click the ID of the newly created service account

9. Click the Keys tab
10. Using the add key dropdown, select Create new key

11. Select JSON and click Create

Attach the .json file created in the above step in to the Artifact Data field on the form.

Set the Credential Name to and click Create to add the credential to Massdriver. Head to the projects page to start building your infrastructure.