GitHub Actions workflow with OIDC based authentication against Azure

Create a workflow that uses GitHub Actions OIDC provider for authentication against Azure

Step 1: Configure OIDC in Azure

Welcome to "GitHub Actions workflow with OIDC based authentication against Azure"! 👋

In this step you'll configure OIDC in your Azure tenant.

What is Azure: Azure is the cloud platform of Microsoft.

What is a tenant: An Azure AD tenant is a reserved Azure AD service instance that an organization receives and owns once it signs up for a Microsoft cloud service such as Azure, Microsoft Intune, or Microsoft 365.

What is OIDC: OpenID Connect or OIDC is an identity protocol that utilizes the authorization and authentication mechanisms of OAuth 2.0.

What is a branch?: A branch is a parallel version of your repository. By default, your repository has one branch named main and it is considered to be the definitive branch. You can create additional branches off of main in your repository. You can use branches to have different versions of a project at one time.

⌨️ Activity: Configure OIDC in Azure

1. Open a new browser tab, and work on the steps in your second tab while you read the instructions in this tab
2. Create an Azure Active Directory application and service principal by following the steps under the link
   • Assign role Contributor on subscription to the application
3. Add federated credentials by following the steps under the link
   • Entity type: Branch
   • GitHub branch name: deploy-resource-group
4. Create GitHub secrets by following the steps under the link
5. If you are done, create a new branch with name deploy-resource-group
6. Wait about 20 seconds then refresh this page for the next step

Step 2: Create workflow

You did configure OIDC in Azure and created a branch! 🎉

Configuring OIDC in Azure allows you to authenticate in a GitHub Actions workflow without the need of storing an access token in GitHub!

What is a workflow: A workflow is a configurable automated process that will run one or more jobs. Workflows are defined by a YAML file checked in to your repository and will run when triggered by an event in your repository, or they can be triggered manually, or at a defined schedule.

⌨️ Activity: Create workflow

The following steps will guide you through the process of creating a GitHub Actions workflow.

1. On the Code tab, make sure you're on your new branch deploy-resource-group
2. Click on tab Settings
3. In section Default branch switch the default branch to deploy-resource-group (click on button <--> to switch default branch)
4. Click on tab Actions
5. Click on button new workflow
6. Choose Simple workflow and click Configure
7. Rename file to my-first-workflow.yml
8. Replace content of .yml file with the following content

name: Run Azure Login with OpenID Connect and PowerShell
on: [push]

permissions:
      id-token: write
      contents: read
      
jobs: 
  Windows-latest:
      runs-on: windows-latest
      steps:
        - name: OIDC Login to Azure Public Cloud with AzPowershell (enableAzPSSession true)
          uses: azure/login@v1
          with:
            client-id: ${{ secrets.AZURE_CLIENT_ID }}
            tenant-id: ${{ secrets.AZURE_TENANT_ID }}
            subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
            enable-AzPSSession: true

        - name: 'Create resource group with PowerShell action'
          uses: azure/powershell@v1
          with:
             inlineScript: |
               New-AzResourceGroup -Name MyFirstResourceGroup -Location "South Central US"
             azPSVersion: "latest"

10. Click Commit changes... button
11. Wait until the GitHub Actions workflow finished and then refresh this page for the next step

Finish

Congratulations friend, you've completed this course!

Here's a recap of all the tasks you've accomplished in this course:

• You configured OIDC in Azure by adding the Federated Credentials to Azure
• You created your first GitHub Actions workflow that uses GitHub Actions OIDC provider for authentication against Azure
• The execution of this workflow create a resource group in your Azure tenant by using best practice authentication

What's next?

• I'd love to hear what you thought of this course
• Check out using environments for deployment
• Check out reusable workflows
• Check out Assigning permissions to jobs
• To find projects to contribute to, check out GitHub Explore

---

Get help: About security hardening with OpenID Connect • Review the GitHub status page

© 2023 Marc Rufer • Code of Conduct • License