Merge pull request #197762 from juliakm/users/jukullam/oidc-arm

Adding Open ID authentication option to ARM GitHub Actions article

Author: LJSpiller

articles/azure-resource-manager/templates/deploy-github-actions.md

@@ -2,7 +2,7 @@
 title: Deploy Resource Manager templates by using GitHub Actions
 description: Describes how to deploy Azure Resource Manager templates (ARM templates) by using GitHub Actions.
 ms.topic: conceptual
-ms.date: 02/07/2022
+ms.date: 05/10/2022
 ms.custom: github-actions-azure
 ---
 
@@ -27,11 +27,13 @@ The file has two sections:
 
 |Section  |Tasks  |
 |---------|---------|
-|**Authentication** | 1. Define a service principal. <br /> 2. Create a GitHub secret. |
+|**Authentication** | 1. Generate deployment credentials. |
 |**Deploy** | 1. Deploy the Resource Manager template. |
 
 ## Generate deployment credentials
 
+# [Service principal](#tab/userlevel)
+
 You can create a [service principal](../../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
 
 Create a resource group if you do not already have one.
@@ -61,8 +63,29 @@ In the example above, replace the placeholders with your subscription ID and res
 > [!IMPORTANT]
 > It is always a good practice to grant minimum access. The scope in the previous example is limited to the resource group.
 
+# [OpenID Connect](#tab/openid)
+
+You need to provide your application's **Client ID**, **Tenant ID**, and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.
+
+1. Open your GitHub repository and go to **Settings**.
+
+1. Select **Settings > Secrets > New secret**.
+
+1. Create secrets for `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`. Use these values from your Active Directory application for your GitHub secrets:
+
+    |GitHub Secret  | Active Directory Application  |
+    |---------|---------|
+    |AZURE_CLIENT_ID     |      Application (client) ID   |
+    |AZURE_TENANT_ID     |     Directory (tenant) ID    |
+    |AZURE_SUBSCRIPTION_ID     |     Subscription ID    |
+
+1. Save each secret by selecting **Add secret**.
+
+---
 ## Configure the GitHub secrets
 
+# [Service principal](#tab/userlevel)
+
 You need to create secrets for your Azure credentials, resource group, and subscriptions.
 
 1. In [GitHub](https://github.com/), browse your repository.
@@ -75,6 +98,25 @@ You need to create secrets for your Azure credentials, resource group, and subsc
 
 1. Create an additional secret named `AZURE_SUBSCRIPTION`. Add your subscription ID to the secret's value field (example: `90fd3f9d-4c61-432d-99ba-1273f236afa2`).
 
+# [OpenID Connect](#tab/openid)
+
+You need to provide your application's **Client ID**, **Tenant ID**, and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.
+
+1. Open your GitHub repository and go to **Settings**.
+
+1. Select **Settings > Secrets > New secret**.
+
+1. Create secrets for `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`. Use these values from your Active Directory application for your GitHub secrets:
+
+    |GitHub Secret  | Active Directory Application  |
+    |---------|---------|
+    |AZURE_CLIENT_ID     |      Application (client) ID   |
+    |AZURE_TENANT_ID     |     Directory (tenant) ID    |
+    |AZURE_SUBSCRIPTION_ID     |     Subscription ID    |
+
+1. Save each secret by selecting **Add secret**.
+
+---
 ## Add Resource Manager template
 
 Add a Resource Manager template to your GitHub repository. This template creates a storage account.
@@ -94,8 +136,9 @@ The workflow file must be stored in the **.github/workflows** folder at the root
 1. Select **set up a workflow yourself**.
 1. Rename the workflow file if you prefer a different name other than **main.yml**. For example: **deployStorageAccount.yml**.
 1. Replace the content of the yml file with the following:
+  # [Service principal](#tab/userlevel)
 
-    ```yml
+  ```yml
     on: [push]
     name: Azure ARM
     jobs:
@@ -122,15 +165,57 @@ The workflow file must be stored in the **.github/workflows** folder at the root
 
           # output containerName variable from template
         - run: echo ${{ steps.deploy.outputs.containerName }}
-    ```
+  ```
+
+  > [!NOTE]
+  > You can specify a JSON format parameters file instead in the ARM Deploy action (example: `.azuredeploy.parameters.json`).
+
+  The first section of the workflow file includes:
+
+  - **name**: The name of the workflow.
+  - **on**: The name of the GitHub events that triggers the workflow. The workflow is trigger when there is a push event on the main branch, which modifies at least one of the two files specified. The two files are the workflow file and the template file.
+  
+  # [OpenID Connect](#tab/openid)
+ 
+  ```yml
+    on: [push]
+    name: Azure ARM
+    jobs:
+      build-and-deploy:
+        runs-on: ubuntu-latest
+        steps:
+
+          # Checkout code
+        - uses: actions/checkout@main
+
+          # Log into Azure
+        - uses: azure/login@v1
+          with:
+            client-id: ${{ secrets.AZURE_CLIENT_ID }}
+            tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+            subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+          # Deploy ARM template
+        - name: Run ARM deploy
+          uses: azure/arm-deploy@v1
+          with:
+            subscriptionId: ${{ secrets.AZURE_SUBSCRIPTION }}
+            resourceGroupName: ${{ secrets.AZURE_RG }}
+            template: ./azuredeploy.json
+            parameters: storageAccountType=Standard_LRS
+
+          # output containerName variable from template
+        - run: echo ${{ steps.deploy.outputs.containerName }}
+  ```
 
-    > [!NOTE]
-    > You can specify a JSON format parameters file instead in the ARM Deploy action (example: `.azuredeploy.parameters.json`).
+  > [!NOTE]
+  > You can specify a JSON format parameters file instead in the ARM Deploy action (example: `.azuredeploy.parameters.json`).
 
-    The first section of the workflow file includes:
+  The first section of the workflow file includes:
 
-    - **name**: The name of the workflow.
-    - **on**: The name of the GitHub events that triggers the workflow. The workflow is trigger when there is a push event on the main branch, which modifies at least one of the two files specified. The two files are the workflow file and the template file.
+  - **name**: The name of the workflow.
+  - **on**: The name of the GitHub events that triggers the workflow. The workflow is trigger when there is a push event on the main branch, which modifies at least one of the two files specified. The two files are the workflow file and the template file.
+  ---
 
 1. Select **Start commit**.
 1. Select **Commit directly to the main branch**.