Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Azure OIDC OpenID Connect password less with GitHub Actions

This documentation describes in what way to organize GitHub Actions to authenticate with Microsoft Azure Entra ID using OpenID Connect (OIDC) for secure and automated deployments to Azure. This guide covers key ideas like credentials, federated identity, and customer-managed keys for data encryption and use them securely in GitHub Actions pipeline.

Federation permits external OpenID Connect identity providers to access Microsoft Entra ID-protected resources, such as Azure and Microsoft Graph. GitHub Actions, Kubernetes, and other external services can use OIDC to get access tokens from Microsoft Entra ID without requiring long-lived credentials like passwords or secrets.

Key Use Cases for OIDC Federation:

  • GitHub Actions Deploying Azure Resources: Use a GitHub Actions workflow to securely get tokens from Microsoft Entra ID and deploy resources to Azure.
  • Customer Managed Keys (CMK): Encrypt data in one tenant using Azure Key Vault located in another tenant.
  • Kubernetes Accessing Azure Resources: A Kubernetes service account can be configured to receive tokens and access Azure resources.
  • Other OIDC Providers: An external OpenID Connect provider can be set up to access Microsoft Entra ID-protected resources.

# Check this complete DevOps Pipeline series
Part 1: Create GitHub repository and branches using Terraform
Part 2 Terraform modules using a github.com repository as a source
Part 3 Automating and Planning Azure Resources with Terraform and GitHub Actions
Part 4 GitHub Actions deploy azure resources with Terraform backend
Part 4.1 GitHub Actions deploy azure resources with PowerShell

I have already created App registrations (Service Principal). In the account go to Manage >> Certificates & Secrets >> Federated credentials.

Github actions oidc azure open id connect identity provider Microsoft entra id microsoft graph pipeline devops cicd configuration setup external management administration passwordless clientid app registration.png

Step 1: From Federated Credentials Scenario choose GitHub Actions deploying Azure resources: Configure a GitHub workflow to get tokens as this application and deploy to Azure. 

Step 2: Configure External OIDC Identity Provider
Enter the details of the identity provider (GitHub in this case) that will federate with Microsoft Entra ID.

  1. Issuer: Set the issuer URL to identify the trusted external identity provider. For GitHub Actions, this value should be: https://token.actions.githubusercontent.com
  2. Organization and Repository: Enter the GitHub organization name and repository where the workflow is hosted. These values allow Microsoft Entra ID to validate the connection.
  3. Branch, Pull Request, Tag: Specify the environment, branch, pull request, or tag that GitHub Actions will use to establish trust with Microsoft Entra ID.
  4. Subject Identifier: The subject identifier should follow this format to establish a unique connection: repo:{Organization}/{Repository}:ref:refs/tags/{Tag}.

Step 3: Configure Federated Credential

Once the identity provider details are provided, configure the federated credential:

  • Federated Credential Name: Assign a name for the federated credential (limit: 120 characters).
  • Federated Credential Description: Provide a description of the federated credential. When using GitHub Actions for Azure Login, this value should be set to: api://AzureADTokenExchange. This description helps establish a connection between the GitHub Actions workflow and Microsoft Entra ID (limit: 600 characters).

Click Add button.

Azure cloud app registration service principal federated credentials senario github actions devops organization repository entity branch git subject identifier oidc passwordless clientid subscription tenant id devops cicd pipeline.png

Once the GitHub organization, repository, and subject identifier have been configured, trust is established between GitHub Actions and Microsoft Entra ID. This setup allows GitHub Actions to obtain tokens from Microsoft Entra ID and access Azure resources securely.

As per below screenshot you can see Federated credentials for App Registration (Service Principal) is successfully created.

Azure service principal app registration enterprise account certificate client secrets federated credentials add OIDC github actions configuration external openid connect identity provider devops pipeline configuration setup cicd.png

Github Action secrets and variables AZURE_CLIENT_ID AZURE_SUBSCRIPTION_ID AZURE_TENANT_ID github repository secrets branch tags webhook azure az cli oidc federated credentials devops pipeline cicd service principal app registrations.png

Below is my code for GitHub Actions Workflow yaml file. Repository secrets are defined in the yellow highlighted area as Az Login credentials, note down there is no secret id is mentioned in the code. In the next task green highlighted I am executing simple az command to verify credentials to list the Resource Groups from Azure.

Download this github_actions_Azure_OpenID_Connect (OIDC).zip code here or it is also available on github.com.

# Name of the action that will trigger
name: AzCLI ODIC Configuration

# On push event occur
on: [push]

permissions:
  id-token: write # Require write permission to Fetch an OIDC token.
  contents: read

# Jobs section
jobs:
  azcli:
    name: AzCLI
    runs-on: ubuntu-latest # OS where job will trigger

    #Use the bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest or windows-latest
    #Setting default bash shell
    defaults:
      run:
        shell: bash

    steps:
    # Checkout the repository to the GitHub Actions runner
    - name: Checkout
      uses: actions/checkout@v3

    - name: Login to Azure
      uses: azure/login@v2
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

    # AZ command execution
    - name: Execute Az CLI command
      run: |
        az group list --output table

# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure-openid-connect

I am pushing the workflow code to GitHub repository with git commands.

Github Actions oidc azure open connect id terraform extreme examples authentication azure oidc credentials passwordless git push origin force commit add devops cicd pipeline configuration.png

As soon as code is pushed, Workflow pipeline will be auto triggered by GitHub Actions. In the actions you can see workflow is completed successful . 

GitHub Actions source control pull requests security settings azCLI ODIC configurations Azure oidc credentials Passwordless configuration openid connect devops pipeline cicd workflow yaml passwordless clientid subscription tenant.png

Below is the output of the successful job view and result of the login and command.

Github Actions Login to Azure client-id oidc openid connect azure intra id azure ad tenant id subscription auth-type service principal azurecloud az clie powershell noprofile.png

Useful Articles
Part 1 Git version control integration in Visual Studio Code
Part 2 Git master branch source control integration in Visual Studio Code
Part 3 Git clone version control integration in Visual Studio Code
Remote: Permission to UserName/repo.git denied to OtherUserName fatal: unable to access 'https://github.com/UserName/repo.git/': The requested URL returned error: 403
Step by Step guide to push your first project to github.com
Running Your First PowerShell Scripts With Jenkins and Git
Git clone or push Missing or invalid credentials fatal authentication failed
PowerShell How to find file and folders in Azure Storage Account Blobs and Containers
DevOps Part 1.1 SCM Git - Create Resource Group in Microsoft Azure
DevOps Part 1.2 SCM Git - Create Virtual Network (vNET) in Microsoft Azure
Solved Visual studio Code make sure you configure your user.name and user.email in git
Logging and Working on BitBucket using Git SSH url

Go Back

Comment

Blog Search

Page Views

12086173

Follow me on Blogarama