Connect to Azure from GitHub Actions without using client secrets
GitHub Actions is becoming a popular choice for automating workflows and deploying to Azure in organisations where source control is in GitHub. When it comes to connecting to Azure from GitHub Actions, you may have to use secrets for authentication. But did you know that there are ways to authenticate without using secrets? In this blog post, we will explore how you can connect to Azure from GitHub Actions without using secrets.
In GitHub Actions, SPN (service principal name) and credentials are used to authenticate with Azure. Generally, these credentials are stored as repository secrets in GitHub. It is a simple way to connect to Azure but comes with some drawbacks. For example, you need to keep updating credentials and if someone steals these credentials, they can impersonate as the SPN and do anything that the SPN is permitted to do.
With Azure Workload Identity Federation, we can use OpenID Connect to authenticate with Azure from GitHub Actions without using credentials.
Configure Azure AD Application and SPN
Here, we will be using Azure CLI, but you can use Azure Portal or any other method.
Register application in AAD
az ad app create --display-name gh-connect-appCreate SPN for the application registered above
az ad sp create --id <id from output of above command>
Assign “Contributor” role to the SPN for your subscription
subscriptionId="<your subscription id>"
assigneeObjectId="<object id for SPN created above>"
az role assignment create --role contributor \
--subscription $subscriptionId \
--assignee-object-id $assigneeObjectId \
--assignee-principal-type ServicePrincipal \
--scope /subscriptions/$subscriptionIdConfigure environments in GitHub
Go to Settings > Environments (https://github.com/<user/organisation>/<repo>/settings/environments) and add environments as per the need. In this blog, we will only be working with Production environment.
Add Federated Credentials for AAD App
Create a credential settings file to use while creating federated credentials.
credential.json — please update values as per your user/organisation and repository name.
{
"name": "<any name for credential>",
"issuer": "https://token.actions.githubusercontent.com",
"subject": "repo:<user/org>/<repo>:environment:Production",
"description": "demo",
"audiences": [
"api://AzureADTokenExchange"
]
} az ad app federated-credential create \
--id <object id for AAD App creted in first step> \
--parameters credential.jsonYou can verify federated credential created using Azure Portal.
Create GitHub secrets
We will add below secrets in GitHub which will be used to authenticate with Azure. It’s similar to how we do it while using SPN with client credentials, but here we won’t add any secret or certificate credentials.
Everything’s setup, now we can add a workflow to verify the connection.
Add a new workflow in your repository.
#.github\workflows\connect-azure.yml
name: Run Azure Login with OpenID Connect
on:
push:
branches:
- main
permissions:
id-token: write
contents: read
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: 'Run Azure CLI commands'
run: |
az account showWorkflow has trigger setup for main branch. When changes are pushed to main branch, workflow will run. Once workflow is complete, you can see logs similar to below which verifies connection to Azure from GitHub Actions.
This is how simple it is to set up connection to Azure from GitHub Actions using federated credentials and without having to worry about client secret or certificates.
If you have SPN credentials configured in your GitHub secrets, maybe it’s time to remove them and utilise workload identity to authenticate with Azure.
Thanks for reading and have a great day ahead :)
The CLI commands and related files used in this blog can be found at iqan/github-actions-connect-azure: Step by step guide to help connect Azure from GitHub Actions without using client secret.
