How to manually create the required Azure API token for deploying to Static Web Apps?

Ryan 1 Reputation point

Hi folks,

We're trying to setup a Github Action that will deploy our software to Azure. Our software is not multi-tenant-aware, so we deploy a replica of the software into a fresh Azure Resource Group for each tenant. So far this has been no problem. Our Github Action has an event input into which we can provide the resource group name and from there it can deploy to that resource group.

With Static Web Apps, though, the Azure API token is generated behind a black box, as is the deployment process. I don't want to have a Github Action workflow and repository secret for each tenant that we want to deploy to.

It looks to me like the auto-generated secret likely somehow specifies which resource group to deploy to, since I see no other way for the "Azure/static-web-apps-deploy@v0.0.1-preview" Github Action to know where it is to be deploying to.

The Azure Portal automatically creates this secret token and adds it with a name like: AZURE_STATIC_WEB_APPS_API_TOKEN_LEMON_WAVE_00AD12A10

Obviously there is a way to create this token, but has that been discussed or outlined anywhere?

Ideally, I'd be able to create that token as-needed and perform a manual deploy using the Azure Static Web Apps Deploy Github Action into any resource group that I need, without duplicating workflows and github secrets.

The service itself seems great and like a clear upgrade over Azure Storage static web apps. The current deployment options are terrible though - why only from a specific github repo and to a specific Azure Resource Group? Why not expose the ability to deploy to anywhere as needed?

Any ideas?

Azure Static Web Apps
Azure Static Web Apps
An Azure service that provides streamlined full-stack web app development.
624 questions
{count} votes

1 answer

Sort by: Most helpful
  1. ajkuma 18,926 Reputation points Microsoft Employee

    @Ryan , The API token is not tied to a specific repo or branch, but is the permission to deploy to a particular Static Web App. Likewise, it has no tie to a particular resource group, it has a 1-1 relationship with a particular Static Web app.

    It sounds like you want to have a single API token that can deploy to all of your Static Web Apps? This is not a good security model and is not recommended.
    You can call an API today to retrieve a new API token and invalidate the old one, our product team is working on adding that to the Portal as well, but we do not have an ETA to share on this yet.

    Hope this helps! Thanks again for your feedback.