| title | shortTitle | intro | versions | type | topics | redirect_from | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Configuring OpenID Connect in Azure |
OpenID Connect in Azure |
Use OpenID Connect within your workflows to authenticate with Azure. |
|
tutorial |
|
|
{% data reusables.actions.enterprise-github-hosted-runners %}
OpenID Connect (OIDC) allows your {% data variables.product.prodname_actions %} workflows to access resources in Azure, without needing to store the Azure credentials as long-lived {% data variables.product.prodname_dotcom %} secrets.
This guide gives an overview of how to configure Azure to trust {% data variables.product.prodname_dotcom %}'s OIDC as a federated identity, and includes a workflow example for the azure/login action that uses tokens to authenticate to Azure and access resources.
{% data reusables.actions.oidc-link-to-intro %}
{% data reusables.actions.oidc-security-notice %}
{% data reusables.actions.oidc-on-ghecom %}
{% ifversion ghes %} {% data reusables.actions.oidc-endpoints %}
Note
Microsoft Entra ID (previously known as Azure AD) does not have fixed IP ranges defined for these endpoints.
- Make sure that the value of the issuer claim that's included with the JSON Web Token (JWT) is set to a publicly routable URL. For more information, see AUTOTITLE. {% endif %}
{% data variables.product.prodname_dotcom %}'s OIDC provider works with Azure's workload identity federation. For an overview, see Microsoft's documentation at Workload identity federation.
To configure the OIDC identity provider in Azure, you will need to perform the following configuration. For instructions on making these changes, refer to the Azure documentation.
{% ifversion fpt or ghec %}In the following procedure, you will create an application for Microsoft Entra ID (previously known as Azure AD).{% endif %}
- Create an Entra ID application and a service principal.
- Add federated credentials for the Entra ID application.
- Create {% data variables.product.prodname_dotcom %} secrets for storing Azure configuration.
Additional guidance for configuring the identity provider:
- For security hardening, make sure you've reviewed AUTOTITLE. For an example, see AUTOTITLE.
- For the
audiencesetting,api://AzureADTokenExchangeis the recommended value, but you can also specify other values here.
To update your workflows for OIDC, you will need to make two changes to your YAML:
- Add permissions settings for the token.
- Use the
azure/loginaction to exchange the OIDC token (JWT) for a cloud access token.
{% data reusables.actions.oidc-deployment-protection-rules %}
{% data reusables.actions.oidc-permissions-token %}
The azure/login action receives a JWT from the {% data variables.product.prodname_dotcom %} OIDC provider, and then requests an access token from Azure. For more information, see the azure/login documentation.
The following example exchanges an OIDC ID token with Azure to receive an access token, which can then be used to access cloud resources.
{% raw %}
name: Run Azure Login with OIDC
on: [push]
permissions:
id-token: write
contents: read
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: 'Az CLI login'
uses: azure/login@a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: 'Run az commands'
run: |
az account show
az group list{% endraw %}
{% data reusables.actions.oidc-further-reading %}