You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Your GitHub Actions run under an identity. Use the [az ad sp create-for-rbac](/cli/azure/ad/sp#az-ad-sp-create-for-rbac) command to create a [service principal](../../active-directory/develop/app-objects-and-service-principals.md#service-principal-object) for the identity. Grant the service principal the contributor role for the resource group created in the previous session so that the GitHub action with the identity can create resources in this resource group. It's recommended that you grant minimum required access.
44
-
45
-
```azurecli-interactive
46
-
az ad sp create-for-rbac --name {app-name} --role contributor --scopes /subscriptions/{subscription-id}/resourceGroups/exampleRG --json-auth
47
-
```
48
-
49
-
Replace the placeholder `{app-name}` with the name of your application. Replace `{subscription-id}` with your subscription ID.
50
-
51
-
The output is a JSON object with the role assignment credentials that provide access to your App Service app similar to the following output.
52
-
53
-
```output
54
-
{
55
-
"clientId": "<GUID>",
56
-
"clientSecret": "<GUID>",
57
-
"subscriptionId": "<GUID>",
58
-
"tenantId": "<GUID>",
59
-
...
60
-
}
61
-
```
62
-
63
-
Copy this JSON object for later. You'll only need the sections with the `clientId`, `clientSecret`, `subscriptionId`, and `tenantId` values. Make sure you don't have an extra comma at the end of the last line, for example, the `tenantId` line in the preceding example, or else it results in an invalid JSON file. You get an error during the deployment saying "Login failed with Error: Content isn't a valid JSON object. Double check if the 'auth-type' is correct."
64
-
65
-
# [Open ID Connect](#tab/openid)
66
-
67
-
Open ID Connect is an authentication method that uses short-lived tokens. Setting up [OpenID Connect with GitHub Actions](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) is more complex process that offers hardened security.
68
-
69
-
1. If you don't have an existing application, register a [new Active Directory application and service principal that can access resources](../../active-directory/develop/howto-create-service-principal-portal.md). Create the Active Directory application.
70
-
71
-
```azurecli-interactive
72
-
az ad app create --display-name myApp
73
-
```
74
-
75
-
This command outputs JSON with an `appId` that is your `client-id`. Save the value to use as the `AZURE_CLIENT_ID` GitHub secret later.
76
-
77
-
You use the `objectId` value when creating federated credentials with Graph API and reference it as the `APPLICATION-OBJECT-ID`.
78
-
79
-
1. Create a service principal. Replace the `$appID` with the appId from your JSON output.
80
-
81
-
This command generates JSON output with a different `Id` and will be used in the next step. The new `Id` is the `assignee-object-id`.
82
-
83
-
Copy the `appOwnerTenantId` to use as a GitHub secret for `AZURE_TENANT_ID` later.
84
-
85
-
```azurecli-interactive
86
-
az ad sp create --id $appId
87
-
```
88
-
89
-
1. Create a new role assignment by subscription and object. By default, the role assignment is tied to your default subscription. Replace `$subscriptionId` with your subscription ID, `$resourceGroupName` with your resource group name, and `$assigneeObjectId` with the generated `assignee-object-id`. Learn [how to manage Azure subscriptions with the Azure CLI](/cli/azure/manage-azure-subscriptions-azure-cli).
90
-
91
-
```azurecli-interactive
92
-
az role assignment create --role contributor --subscription $subscriptionId --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal --scope /subscriptions/$subscriptionId/resourceGroups/$resourceGroupName
93
-
```
94
-
95
-
1. Run the following command to [create a new federated identity credential](/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) for your active directory application.
* Replace `APPLICATION-OBJECT-ID` with the **objectId (of the app registration)** for your Active Directory application.
98
-
* Set a value for `CREDENTIAL-NAME` to reference later.
99
-
* Set the `subject`. The value of this is defined by GitHub depending on your workflow:
100
-
* Jobs in your GitHub Actions environment: `repo:< Organization/Repository >:environment:< Name >`
101
-
* For Jobs not tied to an environment, include the ref path for branch/tag based on the ref path used for triggering the workflow: `repo:< Organization/Repository >:ref:< ref path>`. For example, `repo:n-username/ node_express:ref:refs/heads/my-branch` or `repo:n-username/ node_express:ref:refs/tags/my-tag`.
102
-
* For workflows triggered by a pull request event: `repo:< Organization/Repository >:pull_request`.
103
42
104
-
```azurecli
105
-
az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:organization/repository:ref:refs/heads/main","description":"Testing","audiences":["api://AzureADTokenExchange"]}'
106
-
```
107
-
108
-
To learn how to create a Create an active directory application, service principal, and federated credentials in Azure portal, see [Connect GitHub and Azure](/azure/developer/github/connect-from-azure#use-the-azure-login-action-with-openid-connect).
109
-
110
-
---
111
43
## Configure the GitHub secrets
112
44
113
-
# [Service principal](#tab/userlevel)
114
-
115
-
Create secrets for your Azure credentials, resource group, and subscriptions. You use these secrets in the [Create workflow](#create-workflow) section.
116
-
117
-
1. In [GitHub](https://github.com/), navigate to your repository.
118
-
119
-
1. Select **Settings > Secrets and variables > Actions > New repository secret**.
120
-
121
-
1. Paste the entire JSON output from the Azure CLI command into the secret's value field. Name the secret `AZURE_CREDENTIALS`.
122
-
123
-
1. Create another secret named `AZURE_RG`. Add the name of your resource group to the secret's value field (`exampleRG`).
124
-
125
-
1. Create another secret named `AZURE_SUBSCRIPTION`. Add your subscription ID to the secret's value field (example: `aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e`).
126
-
127
-
# [Open ID Connect](#tab/openid)
128
-
129
-
You need to provide your application's **Client ID**, **Tenant ID**, and **Subscription ID** to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.
130
-
131
-
1. Open your GitHub repository and go to **Settings**.
1. Create secrets for `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`. Use these values from your Active Directory application for your GitHub secrets:
136
-
137
-
|GitHub Secret | Active Directory Application |
138
-
|---------|---------|
139
-
|AZURE_CLIENT_ID | Application (client) ID |
140
-
|AZURE_TENANT_ID | Directory (tenant) ID |
141
-
|AZURE_SUBSCRIPTION_ID | Subscription ID |
142
-
143
-
1. Save each secret by selecting **Add secret**.
144
-
145
-
---
146
47
147
48
## Add a Bicep file
148
49
@@ -200,25 +101,31 @@ To create a workflow, take the following steps:
200
101
1. Rename the workflow file if you prefer a different name other than **main.yml**. For example: **deployBicepFile.yml**.
201
102
1. Replace the content of the yml file with the following code:
0 commit comments