From 4528c762f2cf52ed4f46bbd956a2dc2408676c0b Mon Sep 17 00:00:00 2001 From: Xiang ZHU Date: Thu, 28 Sep 2023 21:27:32 +0200 Subject: [PATCH] github action azure login by OIDC --- .../2023/2023-09-22-github-actions-python.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/_posts/2023/2023-09-22-github-actions-python.md b/_posts/2023/2023-09-22-github-actions-python.md index 3cd4dc67..068a5b6a 100644 --- a/_posts/2023/2023-09-22-github-actions-python.md +++ b/_posts/2023/2023-09-22-github-actions-python.md @@ -121,3 +121,31 @@ In March 2023, there was a great news that Azure Service Principal was been [int ``` {% endraw %} + +We can also [setup OIDC between Github Action and Azure](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux). It's practical because we do not need to worry about Azure SPN secret rotation. However, a drawback is that when setting up OIDC, we must add a filter (`subject` field in the credential.json). This could be a branch name, tag name, pull request, or environment name, we can not use wildcards in the filter, so we have to set up OIDC for each branch, tag, pull request or environment as needed. This is not very practical. + +To use OIDC with Github Action, we need to add the following to the workflow: +{% raw %} + +```yaml +... +permissions: + id-token: write + contents: read + +jobs: + a_job: + ... + steps: + - name: Azure login by OIDC + uses: azure/login@v1 + with: + # Official doc puts these 3 fields in secrets, but it's not necessary, + # as `subject` field in the credential.json prevent other repos from + # using the same credential. And these are not sensitive info neither. + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + client-id: ${{ vars.AZURE_CLIENT_ID }} +``` + +{% endraw %}