question

Ryan-3643 avatar image
0 Votes"
Ryan-3643 asked JeanPhilippeFortin-8354 commented

How to manually create the required Azure API token for deploying to Static Web Apps?

Hi folks,

We're trying to setup a Github Action that will deploy our software to Azure. Our software is not multi-tenant-aware, so we deploy a replica of the software into a fresh Azure Resource Group for each tenant. So far this has been no problem. Our Github Action has an event input into which we can provide the resource group name and from there it can deploy to that resource group.

With Static Web Apps, though, the Azure API token is generated behind a black box, as is the deployment process. I don't want to have a Github Action workflow and repository secret for each tenant that we want to deploy to.

It looks to me like the auto-generated secret likely somehow specifies which resource group to deploy to, since I see no other way for the "Azure/static-web-apps-deploy@v0.0.1-preview" Github Action to know where it is to be deploying to.

The Azure Portal automatically creates this secret token and adds it with a name like: AZURE_STATIC_WEB_APPS_API_TOKEN_LEMON_WAVE_00AD12A10

Obviously there is a way to create this token, but has that been discussed or outlined anywhere?

Ideally, I'd be able to create that token as-needed and perform a manual deploy using the Azure Static Web Apps Deploy Github Action into any resource group that I need, without duplicating workflows and github secrets.

The service itself seems great and like a clear upgrade over Azure Storage static web apps. The current deployment options are terrible though - why only from a specific github repo and to a specific Azure Resource Group? Why not expose the ability to deploy to anywhere as needed?

Any ideas?


azure-static-web-apps
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@Ryan-3643, Apologies for the delayed response. This is a good feedback, I'm checking on this internally with our product engineering team and will get back to you soon.
Thanks for your patience and co-operation in this matter!

1 Vote 1 ·

OK, thank you, @ajkuma-MSFT

0 Votes 0 ·

1 Answer

ajkuma-MSFT avatar image
0 Votes"
ajkuma-MSFT answered JeanPhilippeFortin-8354 commented

@Ryan-3643, The API token is not tied to a specific repo or branch, but is the permission to deploy to a particular Static Web App. Likewise, it has no tie to a particular resource group, it has a 1-1 relationship with a particular Static Web app.

It sounds like you want to have a single API token that can deploy to all of your Static Web Apps? This is not a good security model and is not recommended.
You can call an API today to retrieve a new API token and invalidate the old one, our product team is working on adding that to the Portal as well, but we do not have an ETA to share on this yet.

Hope this helps! Thanks again for your feedback.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ajkuma-MSFT

No, I'm not looking for a single API token that can deploy to all of my static web apps - although I'd use one if I could because that'd be easiest for me.

What I am looking for is a way to manually create that API token myself.

Currently, the only way to create one, that I know if, is through the Azure Portal's Static Web App create workflow. It creates the token but adds it to GitHub using a randomized secret name.

I may end up with many deployments, all with their own random API token. Impossible to manage that. They end up with names like LEMON_PINK_GUMDROP and stuff. I have two at the moment, for deploying to static web apps, and I already forget which ones they're for.

We deploy our various software up to our Azure services by using a GitHub Action workflow. The workflow for deploying the Static Web App requires that API token.

How can I manually create that API token?

0 Votes 0 ·

Thanks for the follow-up and sharing more details.

  1. Azure adds a GitHub Repo secret (LEMON_PINK_X) during create that contains the API token as its value - There is a way to manually set the name of the GH secret if you deploy from an ARM template, so if the problem is the name of the GitHub Repo secret then that may be a solution.

  2. Users cannot generate their own API token to validate Azure Static Web Apps service. The format of the API token and validation is provided by Azure. However, as mentioned, you can call an API today to retrieve a new API token and invalidate the old one. Our product team is working on adding that to the Portal as well, but we do not have an ETA to share on this yet.

Hope it helps!



0 Votes 0 ·

What is the API to retrieve a new API token? I cannot find any doc on that. Thanks!

0 Votes 0 ·