Skip to content

Commit 551f0b7

Browse files
authored
Merge pull request #223345 from juliakm/users/jukullam/update-gha-for-oidc-jan9
Update credentials to OIDC for GitHub Actions tutorials
2 parents 4bf2bc8 + 0e272e3 commit 551f0b7

File tree

2 files changed

+7
-42
lines changed

2 files changed

+7
-42
lines changed

articles/app-service/app-service-sql-asp-github-actions.md

Lines changed: 4 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ title: "Tutorial: Use GitHub Actions to deploy to App Service and connect to a d
33
description: Deploy a database-backed ASP.NET core app to Azure with GitHub Actions
44
ms.devlang: csharp
55
ms.topic: tutorial
6-
ms.date: 09/13/2021
6+
ms.date: 01/09/2023
77
ms.author: jukullam
88
ms.custom: github-actions-azure
99
---
@@ -49,34 +49,18 @@ az group create --name {resource-group-name} --location {resource-group-location
4949

5050
## Generate deployment credentials
5151

52-
You'll need to authenticate with a service principal for the resource deployment script to work. You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
53-
54-
```azurecli-interactive
55-
az ad sp create-for-rbac --name "{service-principal-name}" --sdk-auth --role contributor --scopes /subscriptions/{subscription-id}
56-
```
57-
58-
In the example, replace the placeholders with your subscription ID, resource group name, and service principal name. The output is a JSON object with the role assignment credentials that provide access to your App Service app. Copy this JSON object for later. For help, go to [configure deployment credentials](https://github.com/Azure/login#configure-deployment-credentials).
59-
60-
```output
61-
{
62-
"clientId": "<GUID>",
63-
"clientSecret": "<GUID>",
64-
"subscriptionId": "<GUID>",
65-
"tenantId": "<GUID>",
66-
(...)
67-
}
68-
```
52+
[!INCLUDE [include](~/articles/reusable-content/github-actions/generate-openid-credentials.md)]
6953

7054
## Configure the GitHub secret for authentication
7155

72-
[!INCLUDE [include](~/articles/reusable-content/github-actions/create-secrets-service-principal.md)]
56+
[!INCLUDE [include](~/articles/reusable-content/github-actions/create-secrets-openid-only.md)]
7357

7458
## Add GitHub secrets for your build
7559

7660
1. Create [two new secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository) in your GitHub repository for `SQLADMIN_PASS` and `SQLADMIN_LOGIN`. Make sure you choose a complex password, otherwise the create step for the SQL database server will fail. You won't be able to access this password again so save it separately.
7761

7862
2. Create an `AZURE_SUBSCRIPTION_ID` secret for your Azure subscription ID. If you do not know your subscription ID, use this command in the Azure Shell to find it. Copy the value in the `SubscriptionId` column.
79-
```azurecli
63+
```azurecliu
8064
az account list -o table
8165
```
8266

articles/app-service/app-service-sql-github-actions.md

Lines changed: 3 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ title: "Tutorial: Use GitHub Actions to deploy to an App Service custom containe
33
description: Learn how to deploy an ASP.NET core app to Azure and to Azure SQL Database with GitHub Actions
44
ms.devlang: csharp
55
ms.topic: tutorial
6-
ms.date: 04/22/2021
6+
ms.date: 01/09/2023
77
ms.author: jukullam
88
ms.custom: github-actions-azure
99
---
@@ -47,30 +47,11 @@ Open the Azure Cloud Shell at https://shell.azure.com. You can alternately use t
4747

4848
## Generate deployment credentials
4949

50-
You'll need to authenticate with a service principal for the resource deployment script to work. You can create a [service principal](../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) with the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command in the [Azure CLI](/cli/azure/). Run this command with [Azure Cloud Shell](https://shell.azure.com/) in the Azure portal or by selecting the **Try it** button.
51-
52-
```azurecli-interactive
53-
az ad sp create-for-rbac --name "{service-principal-name}" --sdk-auth --role contributor --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group-name}
54-
```
55-
56-
In the example, replace the placeholders with your subscription ID, resource group name, and service principal name. The output is a JSON object with the role assignment credentials that provide access to your App Service app. Copy this JSON object for later. For help, go to [configure deployment credentials](https://github.com/Azure/login#configure-deployment-credentials).
57-
58-
```output
59-
{
60-
"clientId": "<GUID>",
61-
"clientSecret": "<GUID>",
62-
"subscriptionId": "<GUID>",
63-
"tenantId": "<GUID>",
64-
(...)
65-
}
66-
```
67-
68-
> [!IMPORTANT]
69-
> It is always a good practice to grant minimum access. The scope in the previous example is limited to the specific App Service app and not the entire resource group.
50+
[!INCLUDE [include](~/articles/reusable-content/github-actions/generate-openid-credentials.md)]
7051

7152
## Configure the GitHub secret for authentication
7253

73-
[!INCLUDE [include](~/articles/reusable-content/github-actions/create-secrets-service-principal.md)]
54+
[!INCLUDE [include](~/articles/reusable-content/github-actions/create-secrets-openid-only.md)]
7455

7556
## Add a SQL Server secret
7657

0 commit comments

Comments
 (0)