Vintner
Integrations

Azure Integration

Federated Identity setup via Azure Entra ID with OIDC credentials.

Azure Integration

Azure integration uses Federated Identity Credentials in Azure Entra ID (formerly Azure AD). The Tendril presents an OIDC token, Azure validates it, and issues a short-lived access token. No client secrets are generated. See Security Architecture.

Setup

Create App Registration

In Azure Entra ID, create a new App Registration. Note the Application (client) ID and Directory (tenant) ID.

Add Federated Credential

Add a Federated Credential to the App Registration with:

  • Issuer — the Trellis platform's OIDC issuer URL
  • Subject — the expected subject claim identifier
  • Audience — the platform's audience identifier

Assign RBAC Roles

Grant the App Registration appropriate RBAC roles on your Azure subscription:

  • Contributor (or more granular roles for specific resource types)
  • User Access Administrator (for AKS AAD integration)

Enter Details in Trellis

Provide:

  • Tenant ID — Azure AD directory ID
  • Client ID — App Registration application ID
  • Subscription ID — Target Azure subscription

Verification

Same as other providers — a CONNECTION_TEST job verifies the federated identity by:

  1. Presenting an OIDC token to Azure
  2. Azure validates against the registered issuer/subject
  3. Returns an access token for Azure Resource Manager
  4. Tendril discovers existing VNets, subnets, DNS zones

What's Stored

  • Tenant ID
  • Client ID
  • Subscription ID

No client secrets. Revoke access by deleting the App Registration or removing the Federated Credential.

GCP Integration

Workload Identity Federation setup with OIDC token exchange.

Git Providers

GitHub, GitLab, and Bitbucket OAuth integration with automatic token refresh.

On this page

Azure IntegrationSetupCreate App RegistrationAdd Federated CredentialAssign RBAC RolesEnter Details in TrellisVerificationWhat's Stored