Streamlit Azure AD Login and Deployment with GitHub Actions
Streamlit community cloud provides an excellent way to share your work. When creating internal or personal apps, it is wise to have them securely in a place, where you can only access them. Cloud provides excellent components to create solutions like that. In this blog I will explain how to create streamlit apps, deploy them to Azure web apps with github actions.
Streamlit
This blog is not so much about how to develop streamlit apps, but how to secure the app and deploy, there are many Stream tutorials that help you get started.
Just to get started with Streamlit:
Streamlit docs and get started
The Streamlit app created for this demo is a simple empty app, which has two elements to show: email address, which is the display name for the user in AD and the websocket_headers.
When running it in cloud should look like this:
The app is not accessible without login, which makes it good for creating sensitive content. When it comes to meta data about the user, this can be managed by the application create in active directory. The current setup looks like this:
Github CI/CD
There is a github action integration from web apps straight to github. This requires that the infrastructure is already created. Another way is to add infra and your app into one pipeline. Then you can configure the app and infrastructure at the same time. This demo that I have created has exactly this.
Terraform will create Azure resources needed for the Streamlit app and Github actions will deploy them into Azure. The CI/CD pipeline gives benefits on managing and adding new features for your app. This will also make sure that you will have the infrastructure needed for the scaling it up and down. Managing secrets, all secrets and variables are stored in github secrets and not in the code itself.
Deployment structure:
- Set up job
- Checkout
- Setup Terraform
- Log in with Azure
- Generate secrets.tomi file
- Terraform Init
- Terraform Plan
- Terraform Apply
- Post Checkout
- Complete job
Example of managing Streamlit secrets with deployment:
- name: Generate secrets.toml file
run: |
echo "[connections.snowpark]
account = $(echo -e \"${{ secrets.SNOWFLAKE_ACCOUNT }}\")
user = $(echo -e \"${{ secrets.SNOWFLAKE_USER }}\")
password = $(echo -e \"${{ secrets.SNOWFLAKE_PASSWORD }}\")
role = $(echo -e \"${{ secrets.SNOWFLAKE_ROLE_DEV }}\")
warehouse = $(echo -e \"${{ secrets.SNOWFLAKE_WAREHOUSE_DEV }}\")
database = $(echo -e \"${{ secrets.SNOWFLAKE_DATABASE_DEV }}\")
schema = $(echo -e \"${{ secrets.SNOWFLAKE_SCHEMA_DEV }}\")
client_session_keep_alive = true" >> streamlit/.streamlit/secrets.toml
This can also be a bash script that will generate several blocks.
Terraform
Terraform is widely used IaC platform which has create references and wide community to get started.
Before using the code, read through the notes in github readme. There are few steps that need to be done before hand, like creating storage account for the state file and service principals. This in some cases, it is needed to have Azure Administrator permissions, especially when it comes to creating application for using active directory and reading data that is sensitive.
Development
Working with Streamlit app that have secure authentication provide new ways to work with data. The aim for this blog is to show that using Streamlit apps internally and developing access management around your apps can be very easy and simple. This also provides an option to add these apps to your internal systems as complementary solutions for advanced analytics, data entering and data sharing.
You can find me from Linkedin for questions.
Project code can be found from here: Github link
References