Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] BREAKING change: Authenticate to Azure from GH with OpenID Connect #1450

Open
1 task
Tracked by #1607
MariusStorhaug opened this issue May 30, 2022 · 4 comments · Fixed by #1452 · May be fixed by #1608
Open
1 task
Tracked by #1607

[Feature Request] BREAKING change: Authenticate to Azure from GH with OpenID Connect #1450

MariusStorhaug opened this issue May 30, 2022 · 4 comments · Fixed by #1452 · May be fixed by #1608
Assignees
@arnoldna @MariusStorhaug
Labels
blocked if an issue is blocked [cat] github category: GitHub [cat] pipelines category: pipelines enhancement New feature or request

Comments

@MariusStorhaug
Copy link
Contributor

MariusStorhaug commented May 30, 2022
edited
Loading

Description

Removing long-lived, Azure credentials from the development environment is a key strategy to reduce vulnerabilities that hackers can easily exploit. We can now configure GitHub to deploy to Azure without creating, storing, or managing credentials for the Azure AD application (SPN), by using the Azure AD workload identity federation capability which is now GA (Build 2022 - Book of news).

1.7.2. GITHUB OPENID CONNECT WITH AZURE AD WORKLOAD IDENTITY FEDERATION NOW AVAILABLE

GitHub OpenID Connect (OIDC) with Azure Active Directory (Azure AD) workload identity federation, now generally available, minimizes the need for storing and accessing secrets. The new capabilities alleviate the need for managing Azure service principal secrets and other long-lived cloud credentials in the GitHub Actions secret store.

With this integration, users can manage all cloud resource access securely in Azure. These capabilities also minimize the chances of service downtime due to expired credentials in GitHub. Customers can integrate with developer platforms, like GitHub Actions, to build apps swiftly and securely. With workload identity federation, Azure AD removes the secrets necessary to access resources in selected scenarios – adding another layer of security and removing the burden of secret management.

Learn more about this update.

The required changes seems to be:

  • Add Federated Identity profile on the SPN in AAD. For this we need to choose a criteria of use, i.e.: Environment = 'Engineering'.

  • Add ARM_CLIENT_ID, ARM_TENANT_ID and ARM_SUBSCRIPTION_ID to a new environment.

  • Add the following sections to the workflow files:

    permissions:
    id-token: write
    contents: read

...

environment: Engineering   # we need to decide on this ofc

  • Ensure we have the related documentation updated
@MariusStorhaug MariusStorhaug added the enhancement New feature or request label May 30, 2022
@MariusStorhaug MariusStorhaug changed the title [Feature Request]: Authenticate to Azure with OpenID Connect [Feature Request]: Authenticate to Azure from GH with OpenID Connect May 30, 2022
@AlexanderSehr AlexanderSehr mentioned this issue May 30, 2022
Closed
@MariusStorhaug MariusStorhaug self-assigned this May 30, 2022
@MariusStorhaug MariusStorhaug mentioned this issue May 30, 2022
Merged
10 tasks
@MariusStorhaug MariusStorhaug linked a pull request May 30, 2022 that will close this issue
[MAJOR/BREAKING] Adding OIDC login functionality #1452
Merged
10 tasks
@MariusStorhaug MariusStorhaug added [cat] github category: GitHub [cat] pipelines category: pipelines labels May 30, 2022
@MariusStorhaug
Copy link
Contributor Author

@MrMCake @eriqua @rahalan @mblant : I sorted out the settings on the AppReg so the OIDC config is in place.

@rahalan
Copy link
Contributor

rahalan commented Jun 7, 2022

Needs further alignment #1465

@eriqua eriqua added this to the Release 0.7 milestone Jun 21, 2022
@eriqua eriqua mentioned this issue Jun 21, 2022
Open
@MariusStorhaug MariusStorhaug linked a pull request Jun 26, 2022 that will close this issue
[CI Environment] [MAJOR/BREAKING] Authentication overhaul #1606
Closed
10 tasks
@MariusStorhaug
Copy link
Contributor Author

Aligning with #1085, environments will be used in GH.

@MariusStorhaug MariusStorhaug mentioned this issue Jun 26, 2022
Open
2 tasks
@MariusStorhaug MariusStorhaug linked a pull request Jun 26, 2022 that will close this issue
[CI Environment] [MAJOR/BREAKING] Introducing OIDC and dual environment support #1608
Draft
26 tasks
@MariusStorhaug MariusStorhaug removed a link to a pull request Jun 26, 2022
[CI Environment] [MAJOR/BREAKING] Authentication overhaul #1606
Closed
10 tasks
@eriqua eriqua changed the title [Feature Request]: Authenticate to Azure from GH with OpenID Connect [Feature Request] BREAKING change: Authenticate to Azure from GH with OpenID Connect Jul 25, 2022
@AlexanderSehr AlexanderSehr removed this from the Release 0.7 milestone Aug 22, 2022
@eriqua eriqua mentioned this issue Sep 1, 2022
Closed
3 tasks
@eriqua
Copy link
Contributor

eriqua commented Sep 1, 2022

Removing from upcoming release 0.7, will be worked on in the next one

@eriqua eriqua mentioned this issue Sep 30, 2022
Closed
@rahalan rahalan added the blocked if an issue is blocked label Nov 10, 2022
@rahalan rahalan mentioned this issue Nov 10, 2022
Open
@rahalan rahalan moved this to Blocked in Backlog Dec 11, 2022
@rahalan rahalan added this to Backlog Dec 11, 2022
@AlexanderSehr AlexanderSehr added this to the Azure Verfified Modules (AVM) - V3 milestone May 19, 2024
@AlexanderSehr AlexanderSehr removed this from the Azure Verfified Modules (AVM) - CI Issues milestone Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arnoldna arnoldna

@MariusStorhaug MariusStorhaug

Labels
blocked if an issue is blocked [cat] github category: GitHub [cat] pipelines category: pipelines enhancement New feature or request
Projects
Backlog
Status: Blocked
Milestone
No milestone
5 participants
@AlexanderSehr @arnoldna @MariusStorhaug @eriqua @rahalan