[Feature Request] BREAKING change: Authenticate to Azure from GH with OpenID Connect #1450
Description
Description
Removing long-lived, Azure credentials from the development environment is a key strategy to reduce vulnerabilities that hackers can easily exploit. We can now configure GitHub to deploy to Azure without creating, storing, or managing credentials for the Azure AD application (SPN), by using the Azure AD workload identity federation capability which is now GA (Build 2022 - Book of news).
1.7.2. GITHUB OPENID CONNECT WITH AZURE AD WORKLOAD IDENTITY FEDERATION NOW AVAILABLE
GitHub OpenID Connect (OIDC) with Azure Active Directory (Azure AD) workload identity federation, now generally available, minimizes the need for storing and accessing secrets. The new capabilities alleviate the need for managing Azure service principal secrets and other long-lived cloud credentials in the GitHub Actions secret store.
With this integration, users can manage all cloud resource access securely in Azure. These capabilities also minimize the chances of service downtime due to expired credentials in GitHub. Customers can integrate with developer platforms, like GitHub Actions, to build apps swiftly and securely. With workload identity federation, Azure AD removes the secrets necessary to access resources in selected scenarios – adding another layer of security and removing the burden of secret management.
Learn more about this update.
The required changes seems to be:
-
Add Federated Identity profile on the SPN in AAD. For this we need to choose a criteria of use, i.e.:
Environment = 'Engineering'. -
Add
ARM_CLIENT_ID,ARM_TENANT_IDandARM_SUBSCRIPTION_IDto a new environment. -
Add the following sections to the workflow files:
permissions: id-token: write contents: read ... environment: Engineering # we need to decide on this ofc
-
Ensure we have the related documentation updated
Metadata
Metadata
Assignees
Type
Projects
Status