Testing GitHub to Azure OIDC Workload Identity.
- Will you be using this identity with:
- GitHub Repo Environments?
- Pull Requests?
- Tags?
- Branches? Each of these will trigger/present themselves as a different "entity type" and hence the identity tied to the federated workload identity will be scoped accoridngly.
Note
Currently this demo is set to only work with GitHub Repo Environments. As such your federated identity context will always be scoped/presented as from repo:{$var.github_org_name}/{$var.github_repo_name}:environment:{$var.entity_name}. The default Environment entity_name will be "demo" unless otherwise specified via env vars or a *.tfvars file.
#!/bin/bash
# log into Azure using your personal user account with admin rights
az login
# Needed if running in GH Codespaces as the token scope does not allow you to write GH Environment Secrets
# safe to unset even if you're not in codespaces
unset GITHUB_TOKEN
# log into GitHub
gh auth login
# Move to the terraform dir
cd bootstrapping/terraform/
# Terraform song and dance
terraform init
terraform plan -out tfplan
terraform apply tfplanSee the example GitHub Actions Workflow
Create a new Service Principal (App Registration) in Microsoft Entra (The artist formerly known as Active Directory)
You must save the Client (App) ID and the Microsoft Entra (Artist formerly known as Azure Active Directory) Tenant ID into GitHub Secrets for the specified and appropriate level/entity type (e.g. [Environment, Branch, Pull Request, Tag]) as specified in "Configure Federated Credential" above.
