This documentation describes in what way to organize GitHub Actions to authenticate with Microsoft Azure Entra ID using OpenID Connect (OIDC) for secure and automated deployments to Azure. This guide covers key ideas like credentials, federated identity, and customer-managed keys for data encryption and use them securely in GitHub Actions pipeline.
Federation permits external OpenID Connect identity providers to access Microsoft Entra ID-protected resources, such as Azure and Microsoft Graph. GitHub Actions, Kubernetes, and other external services can use OIDC to get access tokens from Microsoft Entra ID without requiring long-lived credentials like passwords or secrets.
Key Use Cases for OIDC Federation:
- GitHub Actions Deploying Azure Resources: Use a GitHub Actions workflow to securely get tokens from Microsoft Entra ID and deploy resources to Azure.
- Customer Managed Keys (CMK): Encrypt data in one tenant using Azure Key Vault located in another tenant.
- Kubernetes Accessing Azure Resources: A Kubernetes service account can be configured to receive tokens and access Azure resources.
- Other OIDC Providers: An external OpenID Connect provider can be set up to access Microsoft Entra ID-protected resources.
# Check this complete DevOps Pipeline series
Part 1: Create GitHub repository and branches using Terraform
Part 2 Terraform modules using a github.com repository as a source
Part 3 Automating and Planning Azure Resources with Terraform and GitHub Actions
Part 4 GitHub Actions deploy azure resources with Terraform backend
Part 4.1 GitHub Actions deploy azure resources with PowerShell
I have already created App registrations (Service Principal). In the account go to Manage >> Certificates & Secrets >> Federated credentials.
Step 1: From Federated Credentials Scenario choose GitHub Actions deploying Azure resources: Configure a GitHub workflow to get tokens as this application and deploy to Azure.
Step 2: Configure External OIDC Identity Provider
Enter the details of the identity provider (GitHub in this case) that will federate with Microsoft Entra ID.
- Issuer: Set the issuer URL to identify the trusted external identity provider. For GitHub Actions, this value should be: https://token.actions.githubusercontent.com
- Organization and Repository: Enter the GitHub organization name and repository where the workflow is hosted. These values allow Microsoft Entra ID to validate the connection.
- Branch, Pull Request, Tag: Specify the environment, branch, pull request, or tag that GitHub Actions will use to establish trust with Microsoft Entra ID.
- Subject Identifier: The subject identifier should follow this format to establish a unique connection: repo:{Organization}/{Repository}:ref:refs/tags/{Tag}.
Step 3: Configure Federated Credential
Once the identity provider details are provided, configure the federated credential:
- Federated Credential Name: Assign a name for the federated credential (limit: 120 characters).
- Federated Credential Description: Provide a description of the federated credential. When using GitHub Actions for Azure Login, this value should be set to: api://AzureADTokenExchange. This description helps establish a connection between the GitHub Actions workflow and Microsoft Entra ID (limit: 600 characters).
Click Add button.
Once the GitHub organization, repository, and subject identifier have been configured, trust is established between GitHub Actions and Microsoft Entra ID. This setup allows GitHub Actions to obtain tokens from Microsoft Entra ID and access Azure resources securely.
As per below screenshot you can see Federated credentials for App Registration (Service Principal) is successfully created.
Below is my code for GitHub Actions Workflow yaml file. Repository secrets are defined in the yellow highlighted area as Az Login credentials, note down there is no secret id is mentioned in the code. In the next task green highlighted I am executing simple az command to verify credentials to list the Resource Groups from Azure.
Download this github_actions_Azure_OpenID_Connect (OIDC).zip code here or it is also available on github.com.
# Name of the action that will trigger name: AzCLI ODIC Configuration # On push event occur on: [push] permissions: id-token: write # Require write permission to Fetch an OIDC token. contents: read # Jobs section jobs: azcli: name: AzCLI runs-on: ubuntu-latest # OS where job will trigger #Use the bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest or windows-latest #Setting default bash shell defaults: run: shell: bash steps: # Checkout the repository to the GitHub Actions runner - name: Checkout uses: actions/checkout@v3 - name: Login to Azure uses: azure/login@v2 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} # AZ command execution - name: Execute Az CLI command run: | az group list --output table
# https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure-openid-connect
I am pushing the workflow code to GitHub repository with git commands.
As soon as code is pushed, Workflow pipeline will be auto triggered by GitHub Actions. In the actions you can see workflow is completed successful .
Below is the output of the successful job view and result of the login and command.
Useful Articles
Part 1 Git version control integration in Visual Studio Code
Part 2 Git master branch source control integration in Visual Studio Code
Part 3 Git clone version control integration in Visual Studio Code
Remote: Permission to UserName/repo.git denied to OtherUserName fatal: unable to access 'https://github.com/UserName/repo.git/': The requested URL returned error: 403
Step by Step guide to push your first project to github.com
Running Your First PowerShell Scripts With Jenkins and Git
Git clone or push Missing or invalid credentials fatal authentication failed
PowerShell How to find file and folders in Azure Storage Account Blobs and Containers
DevOps Part 1.1 SCM Git - Create Resource Group in Microsoft Azure
DevOps Part 1.2 SCM Git - Create Virtual Network (vNET) in Microsoft Azure
Solved Visual studio Code make sure you configure your user.name and user.email in git
Logging and Working on BitBucket using Git SSH url