Skip to content

Quickstart

This quickstart is for developers working on the current Azure Container Apps deployment model.

Prerequisites

  • Azure CLI az
  • Azure Developer CLI azd
  • Python 3.10+
  • Docker or remote ACR build access through az acr build
  • Access to the target Azure subscription and Microsoft Entra tenant

Repo Setup

git clone https://github.com/microsoft/identity-spiffe.git
cd identity-spiffe
az login
azd auth login

Create or select an azd environment before deploying:

azd env new isp-myenv
azd env select isp-myenv

Full Deployment

Use a full deploy when anything below changes:

  • agent code under src/
  • sidecar runtime or policy behavior
  • SPIRE or attestation logic
  • Entra Agent Identity or Conditional Access bootstrap
  • infrastructure under infra/
./deploy.sh --new --with-admin=you@your-tenant.com

Seed the portal admin. By default deploy.sh only adds the signed-in az login user to the Agent Management Administrators group. If you sign into the portal with a different identity, sign-in will fail with an "Access Denied — not in the Administrators or Viewers group" error. Pass --with-admin=<upn> (repeatable) — or set the ISP_INITIAL_ADMINS=alice@contoso.com,bob@contoso.com env var — to seed additional admins during deploy. The value can be a UPN/email or an Entra object ID; users must already exist in the tenant.

To add admins/viewers after deploy, use:

./scripts/portal-members.sh add-admin alice@contoso.com
./scripts/portal-members.sh add-viewer bob@contoso.com
./scripts/portal-members.sh list

Use --reuse=<resource-group> only when you intentionally want to deploy into an existing resource group.

Portal-Only Deployment

Use the fast path when only the portal or security portal mock changed:

  • portal/
  • securityportal-mock/
  • portal auth or config wiring in deploy.sh
./deploy.sh --portal-only

--portal-only rebuilds and updates the portal Container Apps without regenerating join tokens or forcing agent re-attestation.

Local Portal Launch

After a full deploy generates portal/portal-config.json, you can run the portal locally:

python3 portal/server.py --port 8550 --config portal/portal-config.json

Open http://localhost:8550.

Validate the Deployment

Run the end-to-end enforcement test matrix:

python3 scripts/test_agents.py

Typical local validation commands for code changes:

python3 -m py_compile portal/app/*.py
python3 -m unittest discover -s portal/tests -p 'test_*.py'
python3 -m unittest discover -s scripts/tests -p 'test_*.py'
bash -n deploy.sh