Connect to Azure from GitHub Actions without using client secrets

Iqan Shaikh
4 min readJul 30, 2023

--

GitHub Actions is becoming a popular choice for automating workflows and deploying to Azure in organisations where source control is in GitHub. When it comes to connecting to Azure from GitHub Actions, you may have to use secrets for authentication. But did you know that there are ways to authenticate without using secrets? In this blog post, we will explore how you can connect to Azure from GitHub Actions without using secrets.

Connect to Azure from GitHub Actions

In GitHub Actions, SPN (service principal name) and credentials are used to authenticate with Azure. Generally, these credentials are stored as repository secrets in GitHub. It is a simple way to connect to Azure but comes with some drawbacks. For example, you need to keep updating credentials and if someone steals these credentials, they can impersonate as the SPN and do anything that the SPN is permitted to do.

With Azure Workload Identity Federation, we can use OpenID Connect to authenticate with Azure from GitHub Actions without using credentials.

Configure Azure AD Application and SPN

Here, we will be using Azure CLI, but you can use Azure Portal or any other method.

Register application in AAD

az ad app create --display-name gh-connect-app

Create SPN for the application registered above

az ad sp create --id <id from output of above command>

Assign “Contributor” role to the SPN for your subscription

subscriptionId="<your subscription id>"
assigneeObjectId="<object id for SPN created above>"

az role assignment create --role contributor \
--subscription $subscriptionId \
--assignee-object-id $assigneeObjectId \
--assignee-principal-type ServicePrincipal \
--scope /subscriptions/$subscriptionId

Configure environments in GitHub

Go to Settings > Environments (https://github.com/<user/organisation>/<repo>/settings/environments) and add environments as per the need. In this blog, we will only be working with Production environment.

Add Federated Credentials for AAD App

Create a credential settings file to use while creating federated credentials.

credential.json — please update values as per your user/organisation and repository name.

{
"name": "<any name for credential>",
"issuer": "https://token.actions.githubusercontent.com",
"subject": "repo:<user/org>/<repo>:environment:Production",
"description": "demo",
"audiences": [
"api://AzureADTokenExchange"
]
}
 az ad app federated-credential create \
--id <object id for AAD App creted in first step> \
--parameters credential.json

You can verify federated credential created using Azure Portal.

Create GitHub secrets

We will add below secrets in GitHub which will be used to authenticate with Azure. It’s similar to how we do it while using SPN with client credentials, but here we won’t add any secret or certificate credentials.

Everything’s setup, now we can add a workflow to verify the connection.

Add a new workflow in your repository.

#.github\workflows\connect-azure.yml

name: Run Azure Login with OpenID Connect

on:
push:
branches:
- main

permissions:
id-token: write
contents: read

jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- name: 'Run Azure CLI commands'
run: |
az account show

Workflow has trigger setup for main branch. When changes are pushed to main branch, workflow will run. Once workflow is complete, you can see logs similar to below which verifies connection to Azure from GitHub Actions.

This is how simple it is to set up connection to Azure from GitHub Actions using federated credentials and without having to worry about client secret or certificates.

If you have SPN credentials configured in your GitHub secrets, maybe it’s time to remove them and utilise workload identity to authenticate with Azure.

Thanks for reading and have a great day ahead :)

The CLI commands and related files used in this blog can be found at iqan/github-actions-connect-azure: Step by step guide to help connect Azure from GitHub Actions without using client secret.

--

--

Iqan Shaikh

Sr. Full Stack Engineer | C# .NET | Azure | AWS | DevOps | React | Node | Docker | Flutter | ReactNative