Skip to content

Latest commit

 

History

History
117 lines (82 loc) · 4.25 KB

README.md

File metadata and controls

117 lines (82 loc) · 4.25 KB

OpenID Connect

This directory contains a Bash script oidc.sh that will configure OpenID Connect (OIDC) to connect from GitHub Actions to Azure, without the need to store the Azure credentials as long-lived GitHub secrets.

It will:

  1. Create a Microsoft Entra application
  2. Create a service principal for the Microsoft Entra application
  3. Create federated credentials for the Microsoft Entra application
  4. Create Azure role assignments for the service principal
  5. Set GitHub secrets AZURE_CLIENT_ID, AZURE_SUBSCRIPTION_ID and AZURE_TENANT_ID

The script accepts the following arguments:

  1. The path of the JSON file containing the OIDC configuration
  2. (Optional) The GitHub repository to configure OIDC from.
  3. (Optional) The ID of the Azure subscription to configure OIDC to.

Prerequisites

  • Install Azure CLI - to create Microsoft Entra application, service principal and Azure role assignments.
  • Install GitHub CLI - to set GitHub secrets.
  • Install jq - to parse JSON configuration file.
  • Microsoft Entra role Application Developer - to create Microsoft Entra application and service principal.
  • Azure role Owner - to create Azure role assignments.
  • GitHub repository role Admin - to set GitHub secrets.

Configuration

Example configuration:

{
  "appName": "GitHub app",
  "federatedCredentials": [
    {
      "name": "github-federated-identity",
      "subject": "repo:${REPO}:environment:Development",
      "description": "GitHub service principal federated identity"
    }
  ],
  "roleAssignments": [
    {
      "scope": "/subscriptions/${SUBSCRIPTION_ID}",
      "role": "Contributor"
    }
  ]
}

Note

The value of .federatedCredentials[].subject should contain the prefix repo:${REPO}:.

The value of .roleAssignments[].scope should contain the prefix /subscriptions/${SUBSCRIPTION_ID}.

Usage

  1. Open Bash.

  2. Login to Azure:

    az login

  3. Login to GitHub:

    gh auth login

  4. Configure application name, federated credentials and role assignments in a file oidc.json.

  5. Run the script oidc.sh:

    ./oidc.sh <CONFIG_FILE> [<REPO>] [<SUBSCRIPTION_ID>]

    For example, configure OIDC from the GitHub repository containing the configuration file to the active Azure subscription:

    ./oidc.sh oidc.json

    Or, configure OIDC from the specified GitHub repository to the specified Azure subscription:

    ./oidc.sh oidc.json equinor/ops-actions 034ce851-5375-47b3-8ed2-0a637c9d4141

After running the oidc.sh script

After the App Registration has been created, by Equinor policy, one or more Application Owners from Equinor needs to be set for the App Registration as well as a CI reference.

The CI reference and the appropriate Application Owners can be found in ServiceNow's list for IT applications, under the relevant application.

Updating configuration

Updating the oidc.json configuration file requires you to run the oidc.sh script again. Rerunning the script only performs create/update operations, not delete operations.

For example:

  • When updating the App Registration name, a new App Registration will be created, and you'll need to manually delete the old one.
  • When adding, updating or removing federated credentials in the configuration file, you'll need to manually delete old federated credentials from the App Registration.
  • When adding, updating or removing role assignments in the configuration file, you'll need to manually delete old role assignments.

Troubleshooting

  • If running the script in Git Bash, you might encounter the following error message: InvalidSchema: No connection adapters were found. To fix this error, set the following environment variable: export MSYS_NO_PATHCONV=1.

References