Step 1: Download Azure app registration IaC template or script (API)
Before you can create a Cloud Environment for an Azure subscription, you must download a Terraform infrastructure as code (IaC) template or Azure CLI Bash script declaring the following resources:
This infrastructure gives Snyk read-only permission to scan the configuration of resources in your subscription.
You will use the IaC template or Bash script you downloaded to provision the infrastructure in Step 2: Create the Entra ID app registration (API).
Both methods create the same infrastructure, so pick the method you are most comfortable working with.
Retrieve the IaC template or script
To retrieve the IaC template from the Snyk API, you need the API token for a Snyk Organization-level service account with an Org Admin role.
You also need the subscription and tenant IDs of the Azure subscription you are onboarding. You can find them using the method described in the Azure documentation.
In the Snyk Web UI, navigate to Settings (cog icon) > General > Organization ID and copy your Organization ID.
Send a request to the Snyk API in the following format, replacing
INPUT-TYPE
withtf
for Terraform orbash
for Bash:
If you plan to use the Azure Cloud Shell to execute the Bash script instead of running the Azure CLI locally, execute the curl command above in the Cloud Shell.
Understand the API response
The response is a JSON document like the ones that follow (trimmed for length).
Example response with Terraform configuration:
Example response with Bash script:
Unescape the JSON
The data.attributes.data
field in the preceding output is an escaped JSON string containing the Terraform template or Bash script with the Entra ID app registration, federated identity credential, and service principal.
Before you can use the template to provision the resources, you need to unescape the JSON. This can be accomplished in the following ways:
Use jq
jq
Download and install jq.
When you are submitting the API request during template retrieval, append the following to the end of the command:
| jq -r .data.attributes.data > snyk_azure_permissions
This will place the properly-formatted template into the filesnyk_azure_permissions
in your current working directory.Rename the file with a
.tf
(Terraform) or.sh
(Bash) extension.
Transform the content manually
Copy the contents of
data.attributes.data
from the API response, excluding the double quote at the very beginning and the very end of the value. You should end up with a long string starting withprovider \"azuread\"
(Terraform) orobjectId=$(az ad app create
(Bash).Paste the string into a tool such as FreeFormatter.com to unescape the JSON.
Save the unescaped output as a new
.tf
file (Terraform) or.sh
file (Bash).
What's next?
The next step is to create the Entra ID app registration, federated identity credential, and service principal for Snyk using the template or script you downloaded.
Last updated