Merge pull request #11 from stuartleeks/gh-federated-creds-merge-queue

GH federated creds merge queue

Author: stuartleeks

.devcontainer/Dockerfile

@@ -30,8 +30,8 @@ USER $USERNAME
 #     && sudo apt install snapd
 # RUN sudo snap install hugo --channel=extended
 
-RUN sudo wget https://github.com/gohugoio/hugo/releases/download/v0.68.3/hugo_extended_0.68.3_Linux-64bit.deb
-RUN sudo dpkg -i hugo_extended_0.68.3_Linux-64bit.deb
+RUN sudo wget https://github.com/gohugoio/hugo/releases/download/v0.147.2/hugo_extended_0.147.2_Linux-64bit.deb
+RUN sudo dpkg -i hugo_extended_0.147.2_Linux-64bit.deb
 
 # ** [Optional] Uncomment this section to install additional packages. **
 #

.devcontainer/devcontainer.json

@@ -3,38 +3,34 @@
 {
 	"name": "stuartleeks.com",
 	"dockerFile": "Dockerfile",
-
-	// Set *default* container specific settings.json values on container create.
-	"settings": { 
-		"terminal.integrated.shell.linux": "/bin/bash"
-	},
-
 	"mounts": [
-		// Keep command history 
-		"source=stuartleekscom-bashhistory,target=/home/vscode/commandhistory",
 		// Mounts the .config/gh host folder into the dev container to pick up host gh CLI login details
 		// NOTE that mounting directly to ~/.config/gh makes ~/.config only root-writable
-		// Instead monut to another location and symlink in Dockerfile
+		// Instead mount to another location and symlink in Dockerfile
 		"type=bind,source=${env:HOME}${env:USERPROFILE}/.config/gh,target=/config/gh",
 	],
-
-	// Add the IDs of extensions you want installed when the container is created.
-	"extensions": [
-		"bungcip.better-toml"
-	],
-
 	// Use 'forwardPorts' to make a list of ports inside the container available locally.
-	"forwardPorts": [1313],
-
+	"forwardPorts": [
+		1313
+	],
 	// Use 'postCreateCommand' to run commands after the container is created.
 	// "postCreateCommand": "uname -a",
-
 	// Uncomment to use the Docker CLI from inside the container. See https://aka.ms/vscode-remote/samples/docker-in-docker.
 	// "mounts": [ "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" ],
-
 	// Uncomment when using a ptrace-based debugger like C++, Go, and Rust
 	// "runArgs": [ "--cap-add=SYS_PTRACE", "--security-opt", "seccomp=unconfined" ],
-
 	// Uncomment to connect as a non-root user. See https://aka.ms/vscode-remote/containers/non-root.
-	"remoteUser": "vscode"
+	"remoteUser": "vscode",
+	
+	"customizations": {
+		"vscode": {
+			// Add the IDs of extensions you want installed when the container is created.
+			"extensions": [
+				"bungcip.better-toml"
+			]
+		}
+	},
+	"features": {
+		"ghcr.io/stuartleeks/dev-container-features/shell-history:0": {}
+	}
 }

config/_default/config.toml

@@ -51,13 +51,13 @@ googleAnalytics = "XXX"
 
 
 
-[Author]
-  name = "Stuart Leeks"
-  website = "https://stuartleeks.com"
-  github = "stuartleeks"
-  twitter = "stuartleeks"
-  linkedin = "stuartleeks"
-  stackoverflow = "users/202415/stuart-leeks"
+  [Params.Author]
+    name = "Stuart Leeks"
+    website = "https://stuartleeks.com"
+    github = "stuartleeks"
+    twitter = "stuartleeks"
+    linkedin = "stuartleeks"
+    stackoverflow = "users/202415/stuart-leeks"
 
 
 [[menu.main]]

content/posts/github-federated-credentials-merge-queue/gh-fed-creds-main.png

@@ -0,0 +1,81 @@
+---
+type: post
+title: "GitHub EntraID Federated Credentials With Merge Queue"
+subtitle: ""
+date: 2025-05-08T15:00:23+0100
+lastMod: 2025-05-08T15:00:23+0100
+draft: false
+categories:
+ - technical
+tags:
+ - github
+ - azure-entra-id
+---
+
+## Introduction
+
+I often have GitHub workflows that deploy resources to Azure.
+In the past, I have created a service principal and use the client secret to authenticate to Azure.
+This isn't ideal as if the client secret is leaked then it can be used to access the Azure resources.
+Additionally, the client secret needs to be rotated periodically which can be a pain (yeah, I'm lazy!).
+
+A while back several colleagues pushed me to start using [federated credentials](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure).
+Initially I pushed back as it was another thing to learn and I had other things I needed to get done.
+When I finally got around to it, I found that it was easier than I expected and I'm gradually migrating all of my projects to use federated credentials.
+
+With federated credentials, you can use Azure Entra ID to authenticate to Azure without needing to manage client secrets.
+Instead, your GitHub workflow gets a token from GitHub and then uses that token to get an Azure Entra ID token.
+This flow is shown in the [Entra ID docs](https://learn.microsoft.com/en-gb/entra/workload-id/workload-identity-federation).
+
+
+## Merge Queue - The Challenge
+
+When configuring federated credentials, you need to set up a trust relationship between GitHub and Azure.
+As part of this, you set up the contexts that GitHub will use to authenticate to Azure.
+For example, the screenshot below shows the configuration for the `main` branch of a repository.
+
+![Configuring federated credentials for main branch builds](./gh-fed-creds-main.png)
+
+
+To use these credentials in a GitHub workflow, you can use the [azure/login](https://github.com/azure/login) action.
+This action needs the client ID of the Azure Entra ID application and the tenant ID of the Azure Entra ID tenant, e.g. from repo variables/secrets.
+
+When the action runs it uses the token from GitHub to get a token from Azure Entra ID.
+It is able to do this because of the federated credentials configuration above.
+
+If you are using the same workflow for multiple contexts, for example pushing to `main` and PRs to `main`, then you need to set up the federated credentials for each context.
+This can be useful, for example if you only want to allow access to your Azure resources from the `main` branch and not from PRs. Or if you want to use different Azure Entra ID identities for different contexts and grant different access to each identity.
+
+At the time of writing, the available options for the entity type in Entra ID are `Environment`, `Branch`, `PullRequest`, and `Tag`.
+Note the lack of `MergeQueue` as an option!
+If you trying running a workflow that uses federated credentials as part of a merge queue run you will get an error similar to the one below.
+
+```
+Error: AADSTS7002131: No matching federated identity record found for presented assertion subject 'repo:testing-turtle/transient-terrapin:ref:refs/heads/gh-readonly-queue/main/pr-13-7b1f002b00ec25a5facc43e470ef7dfe6d32f300' or no federated identity credential expression matched. Please check your federated identity credential Subject, Expression, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation
+```
+
+
+## Merge Queue - The workaround
+
+While the configuration UI in Entra ID gives a guided flow for GitHub, it doesn't currently support merge queues.
+Fortunately, it gives us an escape hatch - we can pick the "Other issuer" option from the scenario dropdown and get more control over the configuration.
+
+When using the GitHub token to get the Entra ID token, the token has a subject claim that varies depending on the context.
+The error message above shows us the subject claim that is being presented to Entra ID.
+From this we can see that the subject claim is in the format `repo:{owner}/{repo}:ref:refs/heads/{branch}/pr-{number}-{id}`.
+
+Since the subject claim varies based on the PR number and some other ID value that changes, we can't use standard claim matching.
+Instead, we need to use the preview of claim expressions to match the subject claim.
+
+To enable merge queue runs with federated credentials, we can set the issuer to `https://token.actions.githubusercontent.com` and the claim expression to `claims['sub'] matches 'repo:<{owner}>/{repo}:ref:refs/heads/gh-readonly-queue/{branch}/pr*'` (note that the values for `{owner}`, `{repo}`, and `{branch}` need to be replaced with the actual values for your repository).
+This is shown in the screenshot below.
+
+![Configuring federated credentials with a claim expression to enable merge queue](./gh-fed-creds-merge-queue.png)
+
+
+## Summary
+
+Federated credentials seem like a great way to authenticate to Azure from GitHub workflows.
+They are better for locking down the access to Azure resources and avoid the need to manage client secrets.
+
+Currently, the configuration experience for federated credentials with GitHub merge queues needs a workaround, but hopefully this will be improved in the future.

content/posts/github-federated-credentials-merge-queue/gh-fed-creds-merge-queue.png

@@ -80,34 +80,6 @@ <h4 class="see-also">{{ i18n "seeAlso" }}</h4>
         </ul>
       {{ end }}
 
-
-      {{ if (.Params.comments) | or (and (or (not (isset .Params "comments")) (eq .Params.comments nil)) (and .Site.Params.comments (ne .Type "page"))) }}
-        {{ if .Site.DisqusShortname }}
-          {{ if .Site.Params.delayDisqus }}
-          <div class="disqus-comments">                  
-            <button id="show-comments" class="btn btn-default" type="button">{{ i18n "show" }} <span class="disqus-comment-count" data-disqus-url="{{ trim .Permalink "/" }}">{{ i18n "comments" }}</span></button>
-            <div id="disqus_thread"></div>
-
-            <script type="text/javascript">
-              var disqus_config = function () {
-              this.page.url = '{{ trim .Permalink "/" }}';
-            };
-
-          </script>
-          </div>
-          {{ else }}
-          <div class="disqus-comments">
-            {{ template "_internal/disqus.html" . }}
-          </div>
-          {{ end }}
-        {{ end }}
-        {{ if .Site.Params.staticman }}
-          <div class="staticman-comments">
-            {{ partial "staticman-comments.html" . }}
-          </div>
-        {{ end }}
-      {{ end }}
-
     </div>
   </div>
 </div>

content/posts/github-federated-credentials-merge-queue/index.md

@@ -7,9 +7,9 @@
       <div class="col-lg-8 col-lg-offset-2 col-md-10 col-md-offset-1">
         <ul class="list-inline text-center footer-links">
           {{ range .Site.Data.beautifulhugo.social.social_icons }}
-            {{- if isset $.Site.Author .id }}
+            {{- if isset $.Site.Params.Author .id }}
               <li>
-                <a href="{{ printf .url (index $.Site.Author .id) }}" title="{{ .title }}">
+                <a href="{{ printf .url (index $.Site.Params.Author .id) }}" title="{{ .title }}">
                   <span class="fa-stack fa-lg">
                     <i class="fas fa-circle fa-stack-2x"></i>
                     <i class="{{ .icon }} fa-stack-1x fa-inverse"></i>
@@ -31,18 +31,18 @@
         </ul>
         <p class="credits copyright text-muted">
           &copy;
-          {{ if .Site.Author.name }}
-            {{ if .Site.Author.website }}
-              <a href="{{ .Site.Author.website }}">{{ .Site.Author.name }}</a>
+          {{ if .Site.Params.Author.name }}
+            {{ if .Site.Params.Author.website }}
+              <a href="{{ .Site.Params.Author.website }}">{{ .Site.Params.Author.name }}</a>
             {{ else }}
-              {{ .Site.Author.name }}
+              {{ .Site.Params.Author.name }}
             {{ end }}
           {{ end }}
 
           {{ if .Site.Params.since }}
-            {{ .Site.Params.since }} - {{ .Site.LastChange.Format "2006" }}
+            {{ .Site.Params.since }} - {{ .Site.Lastmod.Format "2006" }}
           {{ else }}
-            {{ .Site.LastChange.Format "2006" }}
+            {{ .Site.Lastmod.Format "2006" }}
           {{ end }}
         </p>
         <!-- Please don't remove this, keep my open source work credited :) -->

themes/stuartleeks1/layouts/_default/single.html

@@ -40,7 +40,7 @@
 {{- with ($.Scratch.Get "Description") }}
   <meta name="description" content="{{ . }}">
 {{- end }}
-{{- with .Site.Author.name }}
+{{- with .Site.Params.Author.name }}
   <meta name="author" content="{{ . }}"/>
 {{- end }}
 {{- partial "seo/main.html" . }}