Introduction

This post is to share a quick and secure way of connecting Github to your Azure Tenancy. Once connected, Github Actions workflows can deploy onto Azure in a seamless and secure manner. There are quite a few ways to connect and they are well documented. However I wanted to share a script that can be used to create a Service Principal on Azure Entra ID and then go onto build a federated credential.

Building the Service Principal

Azure Login

  • Let’s quickly build a service principal on Entra ID. First and foremost, from your terminal of choice, let’s connect to your Azure tenant. For the sake of simplicity, I am going to take the approach of device login - since it would prompt for you to copy the code and login via browser ( This method can be used on a variety of OS’s / Devices)

    az login -use-device-login

    Screenshot - 1

  • Copy the code that is displayed on the terminal and open a browser to browse to microsoft.com/devicelogin. To make the login seamless, you could open https://portal.azure.com on another tab and have it ready.

  • Type the code in the prompt and it should start the authentication process. Screenshot - 2

  • This should complete the login process back in the terminal as well. Screenshot - 4

Create Service Principal on Azure

  • You can execute this part as single script from your terminal, once edited with your custom variables

    # Script to deploy Entra ID Service Principal
$NAME_OF_APP = "NAME_OF_THE_SP" # Provide a custom name for SP
app=$(az ad app create --display-name $NAME_OF_APP -o json)
appId=$(echo $app | jq -r '.appId')
objectId=$(echo $app | jq -r '.id')

sp=$(az ad sp create --id $appId -o json)
assigneeObjectId=$(echo $sp | jq -r '.id')

# Creating the Federated Credentials 
credentialName=github-deploy # Give a Unique Name for the Credential
subject=repo:GITHUB_REPO_NAME/NAME_GITHUB_ORGANIZATION.github.io:environment:NAME_OF_GITHUB_BRANCH
az rest --method POST --uri "https://graph.microsoft.com/beta/applications/$objectId/federatedIdentityCredentials" --body "{\"name\":\"$credentialName\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:organization/repository:environment:main\",\"description\":\"Deploy from GitHub Actions\",\"audiences\":[\"api://AzureADTokenExchange\"]}"

  • Let’s breakdown what is happening with this script:

    • First we create a service principal on Entra ID
    • Then within that SP, we are creating a Federated Credential with details of your gitub repository, github organization and name of the branch that is allowed to execute. - Screenshot 5
    • You can also edit some of the variables in here as well. - Screenshot 6

  • Copy the Client ID , Tenant ID from the overview page for your Service Principal. You could also get the Subscription ID at this point for the next steps. - Screenshot 7

Note

Ensure that you use your Service Principal to have the right permissions and access at a Management Group / Subscription / Resource Group or Resource Level !

Connecting with Github

  • Browse to your github repository Secrets and Variables sections to add some secrets as shown below. This is available at https://github.com/ORG_NAME/REPO_NAME/settings/secrets/actions - Screenshot 8

  • Enter the secrets for AZURE_CLIENT_ID, AZURE_SUBSCRIPTION_ID,AZURE_TENANT_ID ( you can use any variable name as long as the secrets are copied properly)

  • Let’s tweak your github actions workflow. Below is a sample code, that logs onto azure using the Repository Secrets from the last step and displays Resource Groups that are hosted within this subscription

    name: azure_github_deployment_pipeline
on: [push]

permissions:
      id-token: write
      contents: read

jobs: 
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
    - name: 'Az CLI login'
      uses: azure/login@v1
      with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

    - name: 'Run Azure CLI commands'
      run: |
          az account show
          az group list
          pwd

    - Screenshot 9

Next Steps:

  • That’s pretty much it. This can also be achieved by creating a secret token for the SP. However this would mean expiring tokens.
  • The Github Workflow can be used to do a lot more within your Azure tenant. For example, if you want the deployment across multiple Subscriptions, you can get more Subscription ID’s within your repository secrets and execute against them.