azureazure-bicepazure-policy

What should be put to 'repoOwners' in Managed Identity Federated Credentials policy?

I've set up Workload identity federation. Basically like this:

var applicationRegistrationDisplayName = 'GitHub Actions Application Deployer.'
var githubOIDCProvider = 'https://token.actions.githubusercontent.com'
var microsoftEntraAudience = 'api://AzureADTokenExchange'
var applicationRegistrationName = 'app-deployer'
resource GithubActionsApplication 'Microsoft.Graph/applications@v1.0' = {
  uniqueName: applicationRegistrationName
  displayName: applicationRegistrationDisplayName

  resource githubFederatedIdentityCredential 'federatedIdentityCredentials@v1.0' = {
    name: '${GithubActionsApplication.uniqueName}/githubFederatedIdentityCredential'
    audiences: [microsoftEntraAudience]
    description: 'Identity for application to deploy the  root infrastructure.'
    issuer: githubOIDCProvider
    subject: GitHubActionsFederatedIdentitySubject
    }
}

resource githubActionsServicePrincipal 'Microsoft.Graph/servicePrincipals@v1.0' = {
    displayName: applicationRegistrationDisplayName
    appId: GithubActionsApplication.appId
}

Then I added Managed Identity Federated Credentials from GitHub should be from trusted repository owners Azure BuiltIn Policy definition, since I was I thinking I should restrict allowed repositories across any possible federated identity trying to connect.

I'm however unsure now that what should be put into the allowedRepoOwners array. So, here are the questions in my mind:

  1. If I have a organization like https://github.com/<organizationX>, should I add there https://github.com/<organizationX> or maybe organizationX?
  2. Would this one addition on a e.g. some management on group level be enough to limit all repositories underneath this owner? E.g. repositories in https://github.com/<organizationX>/<RepoA>, https://github.com/<organizationX>/<RepoB>?

It has occurred to me to just try out, but I'm also thinking how to read definitions like this to pull out information like this. Then also that maybe there is chance to improve documentation a bit, but I don't know where to do that.

Solution

  • What should be put to 'repoOwners' in Managed Identity Federated Credentials policy?

    The allowedRepoOwners array in the Managed Identity Federated Credentials policy which contains the GitHub usernames or organizations that are trusted to federate credentials.

    In order to limit federation to repositories owned by the organization, you can add organizationX to the allowedRepoOwners array

    Here is the example: github.com/organizationX

    To limit all repositories underneath that owner you can add an organization to the allowedRepoOwners array, its enough to limit all repositories.

    This will apply to all repositories owned by organizationXand access control.