Using Open ID Connect to authenticate to Azure from GitHub
Note — if you’re here to find a repository with preconfigured code it can be found here.
To conclude my mini series on using Open ID connect to connect GitHub to the hyperscalers I’m now going to discuss Azure. I recently wrote an article on how to do this with AWS and in GCP if that’s of interest to you.
OpenID Connect is a layer on top of the OAuth2.0 protocol. I’m using it between GitHub and Azure to exchange information that ultimately results in a token being generated that GitHub can then exchange for temporary access using an Azure AD service principal.
An Azure AD application is created for the GitHub pipeline to use for authentication.
Federated Credentials are then created within the application to allow it to be used by GitHub. The issuer is the GitHub actions URL https://token.actions.githubusercontent.com and the the organization is the Github org you want to deploy from, the repository the repo within that org, the entity type can be things like the GitHub environment or branch and then you have to add which environment or branch etc. you want to use.
Go into IAM within your subscription and create a role assignment to grant your application service principal appropriate permissions to your subscription.
Putting it all together….
To check it all works I’ve then used a GitHub Action to login to Azure using the azure action and deploy a resource group. I’ve created this resource using the az cli for simplicity, however once logged in you’re free to deploy with whatever you want, as long as it supports az cli authentication with Open ID Connect. Note — Terraform currently doesn’t support this authentication method.
If you’re interesting in using Open ID Connect with Azure I’ve created a demo repository which uses Terraform AzureRM and AzureAD providers to create the resources I’ve described above and has the GitHub action pipeline I’ve used to test. Instructions on how to use are in the readme. GitHub’s instructions on how to set this up can be found here.