This repo has an Action that tests logging in to Azure using OIDC.
Full write-up here.
For this demo to work, you need 2 SPNs in Azure and 2 environments. The jobs target dev and prod environments.
You no longer need the composite workflow, since you no longer have to install the az cli beta. You can just collapse to this:
- uses: azure/login@v1
name: Log in using OIDC
with:
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
client-id: ${{ secrets.AZURE_CLIENT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}and you'd be good to go from there!
Steps:
- Create a
devservice principal (App Registration) in Azure - On the Certificates and Secrets tab of the App, click Federated credentials
- Click + Add credential and enter the
org,repoandenvironment(in this casedev) - On the Overview tab, note the
Application (client) IDfor this SPN - Give the SPN access to a subscription or Resource Group within the tenant
Repeat these steps for a prod SPN, giving it access to a different subscription or set of resource groups.
Steps:
- Create a
devenvironment in the repo Environments tab under Settings - Add the
devclientID as a secret calledAZURE_CLIENT_ID
Repeat for the prod environment, creating the same secret but use the clientID of the prod SPN.
On the repo, configure 2 additional secrets:
AZURE_TENANT_ID- the AAD tenant IDAZURE_SUBSCRIPTION_ID- the ID of the Azure subscription
Note: If you have different subscriptions for
devandprod, define theAZURE_SUBSCRIPTION_IDat the corresponding environment, rather than sharing a single subscription at the repo level.
Now you can navigate to the Actions tab, click on the OIDC Demo workflow and queue it.
You should see successful deployments to dev and prod, but the bad prod job should fail (I hardcoded the dev appID for that job to try to deploy to the prod environment with the dev SPN).