GPT came very close to giving a complete working tutorial on setting up OpenID Connect federated credentials that lets your Github Actions authenticate to Azure. This means no passwords, exceptionally granular permissions and a happy security team.
After a bit of debugging I figured out the missing piece, I updated the instructions a little because Azure has updated its UI, but other than that this post is basically the LLM output. Check out the Azure Login action Readme as well, which covers the YAML part of OIDC well: https://github.com/Azure/login?tab=readme-ov-file#login-with-openid-connect-oidc-recommended.
Step 1: Set Up Azure 🔗
Create an Azure AD App Registration:
- Go to the Azure portal.
- Navigate to “Azure Active Directory” > “App registrations”.
- Click on “New registration”.
- Name your app, select the supported account type (most likely “Accounts in this organizational directory only”), and click “Register”.
Create a Federated Credential:
- In the app registration you just created, go to “Certificates & secrets” > “Federated credentials”.
- Click on “Add credential”.
- Credential type: Choose “GitHub Actions deploying Azure resources”. This pre-populates most of the information required, and you are asked to fill in the github-specific details:
- Github Organization
- Repository
- The “entity type” you want to give permissions to. This is probably self-explanatory in the UI after a bit of thought, but basically there are different methods of giving dev workflows access to Azure dev resources and prod workflows access to Azure prod resources. In the example below, this is configured to use “Branch” as the entity type and
mainas the branch. In other words, we are not using Github’s environment feature here.
- Give the credential a name and optionally a description.
- Credential type: Choose “GitHub Actions deploying Azure resources”. This pre-populates most of the information required, and you are asked to fill in the github-specific details:
Assign Roles to the App:
- Go to the subscription/resource group/resource you want the GitHub Action to access.
- Under “Access control (IAM)”, click “Add role assignment”.
- Select the appropriate role (e.g., Contributor, Reader) and assign it to your registered app. For this example, go to your subscription and add “Reader” to the service principal (aka App Registration) you created.
Step 2: Configure GitHub Actions 🔗
Modify Your GitHub Workflow YAML:
- At the start of your workflow, use
azure/loginaction to authenticate using OIDC.
Here is an example YAML configuration:
name: Azure Login with OIDC on: push: branches: - main permissions: id-token: write contents: read jobs: build-and-deploy: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v3 - name: Login to Azure using OpenID Connect uses: azure/login@v1 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Your Azure Command run: az account show- At the start of your workflow, use
Store Necessary Secrets in GitHub:
AZURE_CLIENT_ID: The Application (client) ID from your Azure AD App Registration.AZURE_TENANT_ID: Directory (tenant) ID from your Azure Active Directory.AZURE_SUBSCRIPTION_ID: Subscription ID you are going to work in.
Note: You do not need to store client secrets or other credentials since OIDC handles authentication.
Step 3: Verify and Test 🔗
- Once everything is configured, verify the roles and permissions in Azure to ensure nothing extraneous has access.
- Push your changes to trigger the GitHub Actions workflow and validate whether Azure login is successful.
By setting up OIDC in this manner, GitHub Actions can authenticate to Azure securely, reducing the need for secrets management around long-lived credentials.