Merge pull request #132 from ks6088ts-labs/feature/issue-131_setup-oidc

setup OIDC

Author: ks6088ts

.github/workflows/infra.yaml

@@ -4,10 +4,16 @@ on:
   push:
     paths:
       - infra/**
+    branches:
+      - main
   schedule:
     - cron: "00 00 * * 3"
   workflow_dispatch:
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   infra:
     strategy:
@@ -18,7 +24,9 @@ jobs:
       - name: Log into Azure
         uses: azure/login@v2
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
       - name: Checkout code
         uses: actions/checkout@v4
         with:

README.md

@@ -83,3 +83,20 @@ To publish the docker image to Docker Hub via GitHub Actions, you need to set th
 gh secret set DOCKERHUB_USERNAME --body $DOCKERHUB_USERNAME
 gh secret set DOCKERHUB_TOKEN --body $DOCKERHUB_TOKEN
 ```
+
+### Continuous Integration
+
+To configure OIDC authentication, run the following command.
+
+```shell
+# Configure OIDC authentication
+sh scripts/configure-oidc-github.sh
+
+# Register parameters to GitHub Secrets
+AZURE_SUBSCRIPTION_ID=$(az account show --query 'id' --output tsv)
+
+gh secret set AZURE_CLIENT_ID --body $AZURE_CLIENT_ID
+gh secret set AZURE_TENANT_ID --body $AZURE_TENANT_ID
+gh secret set AZURE_SUBSCRIPTION_ID --body $AZURE_SUBSCRIPTION_ID
+gh secret set AZURE_RG --body $AZURE_RG
+```

docs/README.md

@@ -11,6 +11,10 @@
 - [Get started with LangSmith](https://docs.smith.langchain.com/)
 - [Add message history (memory) > In-memory](https://python.langchain.com/v0.1/docs/expression_language/how_to/message_history/#in-memory)
 
+### GitHub
+
+- [Use GitHub Actions to connect to Azure](https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)
+
 ### Tools
 
 - [Tool calling agent](https://python.langchain.com/v0.1/docs/modules/agents/agent_types/tool_calling/)

infra/main.parameters.bicepparam

@@ -14,7 +14,7 @@ param openAiDeployments = [
   {
     name: 'whisper'
     version: '001'
-    capacity: 3
+    capacity: 1
   }
 ]
 

scripts/configure-oidc-github.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# get the directory of the script
+SCRIPT_DIR=$(cd "$(dirname "$0")" || exit; pwd)
+
+# get the name of the current directory
+appName=test-$(basename "$(pwd)")
+
+# Azure sign in
+az login
+
+# Get the current Azure subscription ID
+subscriptionId=$(az account show --query 'id' --output tsv)
+
+# Create a new Azure Active Directory application
+appId=$(az ad app create --display-name "$appName" --query appId --output tsv)
+
+# Create a new service principal for the application
+assigneeObjectId=$(az ad sp create --id "$appId" --query id --output tsv)
+
+# Assign the 'Contributor' role to the service principal for the subscription
+az role assignment create --role contributor \
+    --subscription "$subscriptionId" \
+    --assignee-object-id "$assigneeObjectId" \
+    --assignee-principal-type ServicePrincipal \
+    --scope /subscriptions/"$subscriptionId"/resourceGroups/"$appName"
+
+# Assign the 'Contributor' role to the service principal for the subscription
+az ad app federated-credential create \
+    --id "$appId" \
+    --parameters "$SCRIPT_DIR"/credential.json

scripts/credential.json

@@ -0,0 +1,7 @@
+{
+  "name": "azure-ai-services-solutions",
+  "issuer": "https://token.actions.githubusercontent.com",
+  "subject": "repo:ks6088ts-labs/azure-ai-services-solutions:ref:refs/heads/main",
+  "description": "Testing",
+  "audiences": ["api://AzureADTokenExchange"]
+}