github action azure login by OIDC

copdips · Sep 28, 2023 · 4528c76 · 4528c76
1 parent 6ee7470
commit 4528c76
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/_posts/2023/2023-09-22-github-actions-python.md b/_posts/2023/2023-09-22-github-actions-python.md
@@ -121,3 +121,31 @@ In March 2023, there was a great news that Azure Service Principal was been [int
     ```
 
     {% endraw %}
+
+We can also [setup OIDC between Github Action and Azure](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux). It's practical because we do not need to worry about Azure SPN secret rotation. However, a drawback is that when setting up OIDC, we must add a filter (`subject` field in the credential.json). This could be a branch name, tag name, pull request, or environment name, we can not use wildcards in the filter, so we have to set up OIDC for each branch, tag, pull request or environment as needed. This is not very practical.
+
+To use OIDC with Github Action, we need to add the following to the workflow:
+{% raw %}
+
+```yaml
+...
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  a_job:
+    ...
+    steps:
+      - name: Azure login by OIDC
+        uses: azure/login@v1
+        with:
+          # Official doc puts these 3 fields in secrets, but it's not necessary,
+          # as `subject` field in the credential.json prevent other repos from
+          # using the same credential. And these are not sensitive info neither.
+          tenant-id: ${{ vars.AZURE_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+          client-id: ${{ vars.AZURE_CLIENT_ID }}
+```
+
+{% endraw %}