Skip to content

Add Azure authentication action #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add Azure authentication action #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ GitHub Actions workflows and actions accessible to all Pexip workflows. This rep

### Authentication

- **[auth-azure-action](auth-azure-action)** - Authenticate with Microsoft Azure using service principal credentials or workload identity (OIDC)
- **[auth-gcp-action](auth-gcp-action)** - Authenticate with Google Cloud Platform using service account key or workload identity federation
- **[auth-github-action](auth-github-action)** - Authenticate with GitHub Container Registry

Expand Down Expand Up @@ -160,6 +161,54 @@ steps:
dockerfile: Dockerfile
```

### Example: Authenticate with Azure

Azure authentication supports two methods:

#### Service Principal (credentials JSON)

```yaml
steps:
- name: Checkout
uses: actions/checkout@v4

- uses: pexip/shared-github-actions/auth-azure-action@master
with:
credentials: ${{ secrets.AZURE_CREDENTIALS }}
registry: myregistry.azurecr.io
```

The `AZURE_CREDENTIALS` secret should contain JSON in this format:
```json
{
"clientId": "<client-id>",
"clientSecret": "<client-secret>",
"subscriptionId": "<subscription-id>",
"tenantId": "<tenant-id>"
}
```

#### Workload Identity (OIDC)

For enhanced security without storing secrets, use OIDC/Workload Identity:

```yaml
permissions:
id-token: write
contents: read

steps:
- name: Checkout
uses: actions/checkout@v4

- uses: pexip/shared-github-actions/auth-azure-action@master
with:
client_id: ${{ secrets.AZURE_CLIENT_ID }}
tenant_id: ${{ secrets.AZURE_TENANT_ID }}
subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
registry: myregistry.azurecr.io
```

### Example: Create a Release

```yaml
Expand All @@ -185,6 +234,10 @@ Configure these secrets in your repository settings:

### Optional Secrets

- **`AZURE_CREDENTIALS`** - Azure service principal credentials JSON (if using auth-azure-action with service principal)
- **`AZURE_CLIENT_ID`** - Azure application client ID (if using auth-azure-action with workload identity)
- **`AZURE_TENANT_ID`** - Azure AD tenant ID (if using auth-azure-action with workload identity)
- **`AZURE_SUBSCRIPTION_ID`** - Azure subscription ID (if using auth-azure-action with workload identity)
- **`jira_webhook`** - Jira automation webhook URL for release integration

### Required Variables
Expand Down
54 changes: 54 additions & 0 deletions auth-azure-action/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Authenticate towards Azure
description: Authenticate towards Microsoft Azure
author: "havard.bakke@pexip.com"

inputs:
registry:
required: false
description: The Azure Container Registry to authenticate against (e.g., myregistry.azurecr.io)
credentials:
required: false
description: Azure service principal credentials JSON (for service principal auth)
client_id:
required: false
description: The Azure application (service principal) client ID (for OIDC/workload identity)
tenant_id:
required: false
description: The Azure AD tenant ID (for OIDC/workload identity)
subscription_id:
required: false
description: The Azure subscription ID (for OIDC/workload identity)

runs:
using: "composite"
steps:
- name: Validate authentication inputs
shell: bash
run: |
if [ -z "${{ inputs.credentials }}" ] && [ -z "${{ inputs.client_id }}" ]; then
echo "Error: Either credentials (service principal) or client_id (workload identity) must be provided"
exit 1
fi
if [ -n "${{ inputs.client_id }}" ] && ([ -z "${{ inputs.tenant_id }}" ] || [ -z "${{ inputs.subscription_id }}" ]); then
echo "Error: tenant_id and subscription_id are required when using workload identity (client_id)"
exit 1
fi

- name: Authenticate towards Azure (service principal)
if: ${{ inputs.credentials != '' }}
uses: azure/login@v2
with:
creds: ${{ inputs.credentials }}

- name: Authenticate towards Azure (workload identity/OIDC)
if: ${{ inputs.credentials == '' }}
uses: azure/login@v2
with:
client-id: ${{ inputs.client_id }}
tenant-id: ${{ inputs.tenant_id }}
subscription-id: ${{ inputs.subscription_id }}

- name: Login to Azure Container Registry
if: ${{ inputs.registry != '' }}
shell: bash
run: az acr login --name $(echo ${{ inputs.registry }} | cut -d'.' -f1)