Disclaimer

The following example uses the beta Azure CLI for now. The CLI change is not yet available in the stable release of Azure CLI.

When deploying from Github Actions to Azure you have to Login to Azure with the azure/login action. This action requires a Service Principal secret which can be stored in Github secrets. However, these secrets are available in Github workflow using them and can even be written to the output with echo for example.

With the new azure/login@v1.4.0 action you can use Federated credentials to login to Azure. Because this feature essentially establishes a trust between Github and Azure Active Directory there is no need for a password/secret anymore.

Create App registration and Federated Credential in Azure

First start by creating a normal AppRegistration in Azure Active Directory. After that go to Certificates & secrets and then to the tab Federated credentials.

Federated Credentials in AAD

Create a Federated Credential in Azure Active Directory. This is the credential that will be used to login to Azure. Fill in the correct values for your Github Repository.

Federated Credentials creation

Modify Github workflow to use Federated Credentials to login on Azure

After the first step of creating the AppRegistration and Federated Credential you can now modify the Github workflow to use the federated credentials.

A example of the modified workflow is shown below.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
name: deploy

on:
push:
branches: [ main ]
workflow_dispatch:

permissions:
id-token: write
contents: read

jobs:
deploy_ota:
runs-on: ubuntu-latest
name: Deploy
steps:
- uses: actions/checkout@v2
- name: Install CLI-beta
run: |
cd ../..
CWD="$(pwd)"
python3 -m venv oidc-venv
. oidc-venv/bin/activate
echo "activated environment"
python3 -m pip install --upgrade pip
echo "started installing cli beta"
pip install -q --extra-index-url https://azcliprod.blob.core.windows.net/beta/simple/ azure-cli
echo "installed cli beta"
echo "$CWD/oidc-venv/bin" >> $GITHUB_PATH

# Login to Azure
- name: Azure Login Xpirit
uses: azure/login@v1.4.0
with:
client-id: ${{ secrets.AZURE_CLIENTID }}
tenant-id: ${{ secrets.AZURE_TENANTID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }}

- name: 'Run az commands'
run: |
az account set -s 'Microsoft Azure Sponsorship 2020'
az group create -l westeurope -n rg-githubexporter
az deployment group create -g rg-githubexporter --template-file ./main.bicep --parameters ./parameters.json

The important part is the change to the azure/login@v1.4.0 action. Instead of providing a client secret it is now possible to use the federated credentials. The only information that is needed is the client id, tenant id and subscription id. Because of the trust between Github and Azure Active Directory there is no need for a password/secret anymore.

This sample uses the beta version of the Azure CLI. To install it please visit Azure CLI Beta.