Merge pull request #274559 from tomvcassidy/removingOIDC

v-shils · web-flow · commit 74196da27354 · 2024-05-07T12:08:34.000-07:00
removing oidc instructions
diff --git a/articles/container-instances/container-instances-github-action.md b/articles/container-instances/container-instances-github-action.md
@@ -6,7 +6,7 @@ ms.author: tomcassidy
 author: tomvcassidy
 ms.service: container-instances
 services: container-instances
-ms.date: 12/09/2022
+ms.date: 05/07/2024
 ms.custom: github-actions-azure, devx-track-azurecli
 ---
 
@@ -24,7 +24,7 @@ This article shows how to set up a workflow in a GitHub repo that performs the f
 
 This article shows two ways to set up the workflow:
 
-* [Configure GitHub workflow](#configure-github-workflow) - Create a workflow in a GitHub repo using the Deploy to Azure Container Instances action and other actions.
+* [Configure GitHub workflow](#configure-github-workflow) - Create a workflow in a GitHub repo using the Deploy to Azure Container Instances action and other actions.  
 * [Use CLI extension](#use-deploy-to-azure-extension) - Use the `az container app up` command in the [Deploy to Azure](https://github.com/Azure/deploy-to-azure-cli-extension) extension in the Azure CLI. This command streamlines creation of the GitHub workflow and deployment steps.
 
 > [!IMPORTANT]
@@ -50,8 +50,6 @@ This article shows two ways to set up the workflow:
 
 ### Create credentials for Azure authentication
 
-# [Service principal](#tab/userlevel)
-
 In the GitHub workflow, you need to supply Azure credentials to authenticate to the Azure CLI. The following example creates a service principal with the Contributor role scoped to the resource group for your container registry.
 
 First, get the resource ID of your resource group. Substitute the name of your group in the following [az group show][az-group-show] command:
@@ -68,7 +66,7 @@ Use [az ad sp create-for-rbac][az-ad-sp-create-for-rbac] to create the service p
 az ad sp create-for-rbac \
   --scope $groupId \
   --role Contributor \
-  --json-auth
+  --sdk-auth
 ```
 
 Output is similar to:
@@ -90,68 +88,9 @@ Output is similar to:
 
 Save the JSON output because it is used in a later step. Also, take note of the `clientId`, which you need to update the service principal in the next section.
 
-# [OpenID Connect](#tab/openid)
-
-OpenID Connect is an authentication method that uses short-lived tokens. Setting up [OpenID Connect with GitHub Actions](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) is more complex process that offers hardened security.
-
-1.  If you do not have an existing application, register a [new Active Directory application and service principal that can access resources](../active-directory/develop/howto-create-service-principal-portal.md). Create the Active Directory application.
-
-    ```azurecli-interactive
-    az ad app create --display-name myApp
-    ```
-
-    This command will output JSON with an `appId` that is your `client-id`. Save the value to use as the `AZURE_CLIENT_ID` GitHub secret later.
-
-    You'll use the `objectId` value when creating federated credentials with Graph API and reference it as the `APPLICATION-OBJECT-ID`.
-
-1. Create a service principal. Replace the `$appID` with the appId from your JSON output.
-
-    This command generates JSON output with a different `objectId` and will be used in the next step. The new  `objectId` is the `assignee-object-id`.
-
-    Copy the `appOwnerTenantId` to use as a GitHub secret for `AZURE_TENANT_ID` later.
-
-    ```azurecli-interactive
-     az ad sp create --id $appId
-    ```
-
-1. Create a new role assignment by subscription and object. By default, the role assignment will be tied to your default subscription. Replace `$subscriptionId` with your subscription ID, `$resourceGroupName` with your resource group name, and `$assigneeObjectId` with the generated `assignee-object-id`. Learn [how to manage Azure subscriptions with the Azure CLI](/cli/azure/manage-azure-subscriptions-azure-cli).
-
-    ```azurecli-interactive
-    az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id  $assigneeObjectId --scope /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/ --assignee-principal-type ServicePrincipal
-    ```
-
-1. Run the following command to [create a new federated identity credential](/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) for your active directory application.
-
-    * Replace `APPLICATION-OBJECT-ID` with the **objectId (generated while creating app)** for your Active Directory application.
-    * Set a value for `CREDENTIAL-NAME` to reference later.
-    * Set the `subject`. The value of this is defined by GitHub depending on your workflow:
-      * Jobs in your GitHub Actions environment: `repo:< Organization/Repository >:environment:< Name >`
-      * For Jobs not tied to an environment, include the ref path for branch/tag based on the ref path used for triggering the workflow: `repo:< Organization/Repository >:ref:< ref path>`.  For example, `repo:n-username/ node_express:ref:refs/heads/my-branch` or `repo:n-username/ node_express:ref:refs/tags/my-tag`.
-      * For workflows triggered by a pull request event: `repo:< Organization/Repository >:pull_request`.
-
-    ```azurecli-interactive
-    az ad app federated-credential create --id <APPLICATION-OBJECT-ID> --parameters credential.json
-    ("credential.json" contains the following content)
-    {
-        "name": "<CREDENTIAL-NAME>",
-        "issuer": "https://token.actions.githubusercontent.com/",
-        "subject": "repo:organization/repository:ref:refs/heads/main",
-        "description": "Testing",
-        "audiences": [
-            "api://AzureADTokenExchange"
-        ]
-    }
-    ```
-
-To learn how to create a Create an active directory application, service principal, and federated credentials in Azure portal, see [Connect GitHub and Azure](/azure/developer/github/connect-from-azure#use-the-azure-login-action-with-openid-connect).
-
----
-
 ### Update for registry authentication
 
-# [Service principal](#tab/userlevel)
-
-Update the Azure service principal credentials to allow push and pull access to your container registry. This step enables the GitHub workflow to use the service principal to [authenticate with your container registry](../container-registry/container-registry-auth-service-principal.md) and to push and pull a Docker image.
+Update the Azure service principal credentials to allow push and pull access to your container registry. This step enables the GitHub workflow to use the service principal to [authenticate with your container registry](../container-registry/container-registry-auth-service-principal.md) and to push and pull a Docker image. 
 
 Get the resource ID of your container registry. Substitute the name of your registry in the following [az acr show][az-acr-show] command:
 
@@ -171,27 +110,8 @@ az role assignment create \
   --role AcrPush
 ```
 
-# [OpenID Connect](#tab/openid)
-
-You need to give your application permission to access the Azure Container Registry and to create an Azure Container Instance.
-
-1. In Azure portal, go to [App registrations](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps).
-1. Search for your OpenID Connect app registration and copy the **Application (client) ID**.
-1. Grant permissions for your app to your resource group. You'll need to set permissions at the resource group level so that you can create Azure Container instances.
-
-    ```azurecli-interactive
-    az role assignment create \
-    --assignee <appID> \
-    --role Contributor \
-     --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>
-    ```
----
-
-
 ### Save credentials to GitHub repo
 
-# [Service principal](#tab/userlevel)
-
 1. In the GitHub UI, navigate to your forked repository and select **Security > Secrets and variables > Actions**.
 
 1. Select **New repository secret** to add the following secrets:
@@ -204,33 +124,13 @@ You need to give your application permission to access the Azure Container Regis
 |`REGISTRY_PASSWORD`     |  The `clientSecret` from the JSON output from the service principal creation |
 | `RESOURCE_GROUP` | The name of the resource group you used to scope the service principal |
 
-# [OpenID Connect](#tab/openid)
-
-You need to provide your application's **Client ID**, **Tenant ID** and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.
-
-1. Open your GitHub repository and go to **Settings > Security > Secrets and variables > Actions > New repository secret**.
-
-1. Create secrets for `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`. Use these values from your Active Directory application for your GitHub secrets:
-
-    |GitHub Secret  | Active Directory Application  |
-    |---------|---------|
-    |AZURE_CLIENT_ID     |      Application (client) ID   |
-    |AZURE_TENANT_ID     |     Directory (tenant) ID    |
-    |AZURE_SUBSCRIPTION_ID     |     Subscription ID    |
-
-1. Save each secret by selecting **Add secret**.
-
----
-
 ### Create workflow file
 
 1. In the GitHub UI, select **Actions**.
 1. Select **set up a workflow yourself**.
 1. In **Edit new file**, paste the following YAML contents to overwrite the sample code. Accept the default filename `main.yml`, or provide a filename you choose.
 1. Select **Start commit**, optionally provide short and extended descriptions of your commit, and select **Commit new file**.
 
-# [Service principal](#tab/userlevel)
-
 ```yml
 on: [push]
 name: Linux_Container_Workflow
@@ -242,16 +142,16 @@ jobs:
         # checkout the repo
         - name: 'Checkout GitHub Action'
           uses: actions/checkout@main
-
+          
         - name: 'Login via Azure CLI'
           uses: azure/login@v1
           with:
             creds: ${{ secrets.AZURE_CREDENTIALS }}
-
+        
         - name: 'Build and push image'
-          uses: docker/login-action@v3
+          uses: azure/docker-login@v1
           with:
-            registry: ${{ secrets.REGISTRY_LOGIN_SERVER }}
+            login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }}
             username: ${{ secrets.REGISTRY_USERNAME }}
             password: ${{ secrets.REGISTRY_PASSWORD }}
         - run: |
@@ -271,65 +171,15 @@ jobs:
             location: 'west us'
 ```
 
-# [OpenID Connect](#tab/openid)
-
-```yml
-on: [push]
-name: Linux_Container_Workflow_OIDC
-
-permissions:
-  id-token: write
-  contents: read
-
-on:
-  push:
-    branches:
-    - main
-    - release/*
-
-jobs:
-    build-and-deploy:
-        runs-on: ubuntu-latest
-        steps:
-        - name: 'Checkout GitHub Action'
-          uses: actions/checkout@main
-
-        - name: 'Login via Azure CLI'
-          uses: azure/login@v1
-          with:
-           client-id: ${{ secrets.AZURE_CLIENT_ID }}
-           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
-        - name: Build and push image
-          id: build-image
-          run: |
-           az acr build --image ${{ secrets.REGISTRY_LOGIN_SERVER }}/sampleapp:${{ github.sha }} --registry ${{ secrets.REGISTRY_LOGIN_SERVER }} --file "Dockerfile" .
-
-        - name: 'Deploy to Azure Container Instances'
-          uses: 'azure/aci-deploy@v1'
-          with:
-           resource-group: ${{ secrets.RESOURCE_GROUP }}
-           dns-name-label: ${{ secrets.RESOURCE_GROUP }}${{ github.run_number }}
-           image: ${{ secrets.REGISTRY_LOGIN_SERVER }}/sampleapp:${{ github.sha }}
-           registry-login-server: ${{ secrets.REGISTRY_LOGIN_SERVER }}
-           registry-username: ${{ secrets.REGISTRY_USERNAME }}
-           registry-password: ${{ secrets.REGISTRY_PASSWORD }}
-           name: aci-sampleapp
-           location: 'west us'
-```
-
----
-
 ### Validate workflow
 
-After you commit the workflow file, the workflow is triggered. To review workflow progress, navigate to **Actions** > **Workflows**.
+After you commit the workflow file, the workflow is triggered. To review workflow progress, navigate to **Actions** > **Workflows**. 
 
 ![View workflow progress](./media/container-instances-github-action/github-action-progress.png)
 
 See [Viewing workflow run history](https://docs.github.com/en/actions/managing-workflow-runs/viewing-workflow-run-history) for information about viewing the status and results of each step in your workflow. If the workflow doesn't complete, see [Viewing logs to diagnose failures](https://docs.github.com/en/actions/managing-workflow-runs/using-workflow-run-logs#viewing-logs-to-diagnose-failures).
 
-When the workflow completes successfully, get information about the container instance named *aci-sampleapp* by running the [az container show][az-container-show] command. Substitute the name of your resource group:
+When the workflow completes successfully, get information about the container instance named *aci-sampleapp* by running the [az container show][az-container-show] command. Substitute the name of your resource group: 
 
 ```azurecli-interactive
 az container show \
@@ -353,7 +203,7 @@ After the instance is provisioned, navigate to the container's FQDN in your brow
 
 ## Use Deploy to Azure extension
 
-Alternatively, use the [Deploy to Azure extension](https://github.com/Azure/deploy-to-azure-cli-extension) in the Azure CLI to configure the workflow. The `az container app up` command in the extension takes input parameters from you to set up a workflow to deploy to Azure Container Instances.
+Alternatively, use the [Deploy to Azure extension](https://github.com/Azure/deploy-to-azure-cli-extension) in the Azure CLI to configure the workflow. The `az container app up` command in the extension takes input parameters from you to set up a workflow to deploy to Azure Container Instances. 
 
 The workflow created by the Azure CLI is similar to the workflow you can [create manually using GitHub](#configure-github-workflow).
 
@@ -394,7 +244,7 @@ az container app up \
   * Service principal credentials for the Azure CLI
   * Credentials to access the Azure container registry
 
-* After the command commits the workflow file to your repo, the workflow is triggered.
+* After the command commits the workflow file to your repo, the workflow is triggered. 
 
 Output is similar to:
 
@@ -412,7 +262,7 @@ To view the workflow status and results of each step in the GitHub UI, see [View
 
 ### Validate workflow
 
-The workflow deploys an Azure container instance with the base name of your GitHub repo, in this case, *acr-build-helloworld-node*. When the workflow completes successfully, get information about the container instance named *acr-build-helloworld-node* by running the [az container show][az-container-show] command. Substitute the name of your resource group:
+The workflow deploys an Azure container instance with the base name of your GitHub repo, in this case, *acr-build-helloworld-node*. When the workflow completes successfully, get information about the container instance named *acr-build-helloworld-node* by running the [az container show][az-container-show] command. Substitute the name of your resource group: 
 
 ```azurecli-interactive
 az container show \
