amazon-web-servicesazureazure-entra-id

Can I Assume a Role After OIDC Authentication in Azure?


I'm currently working on an Azure project where I'm implementing OIDC (OpenID Connect) authentication using Azure Active Directory (Azure AD). My goal is to understand how to manage roles and permissions after a user or application successfully authenticates with GitHub Workflow.

Current Azure CLI Login

name: Run Azure Login with OIDC
on:
  push:
    tags:
      - 'UAT*'  # This will trigger on any tag that starts with "UAT"

permissions:
  id-token: write
  contents: read
jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
      - name: 'Az CLI login'
        uses: Azure/login@v2.2.0
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          allow-no-subscriptions: true # Add this if you want to proceed even without subscriptions
          auth-type: SERVICE_PRINCIPAL

      - name: 'Run az commands'
        run: |
          az account show
          az group list

In AWS, I can assume a role after authentication, allowing for dynamic permission management.

AWS Workflow sample:

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v4.0.2
  with:
    role-to-assume: ${{ secrets.DEPLOYMENT_ROLE }} #change to reflect your IAM role’s ARN
    role-session-name: GitHub_to_AWS_via_FederatedOIDC
    aws-region: ${{ env.AWS_REGION }}

However, I’m unsure how this works in Azure. Here are my specific questions:

Any insights, references to documentation, or examples would be greatly appreciated!


Solution

  • I hope that the following updated post can help you.

    Login with OpenID Connect (OIDC) is Recommended

    Before you use Azure Login Action with OIDC, you need to configure a federated identity credential on a service principal or a managed identity.

    I prefer to use a Service Principal:

    Prepare a service principal for Login with OIDC

    Prepare a user-assigned managed identity for Login with OIDC

    It's important to Configure a federated identity credential on the App

    Assign A Role -- is the Key for you.

    As you can see in the above steps for preparing the service principal or managed identity, you need to perform a role assignment. You don't need to do it dynamically in the GitHub action's steps, but rather, perform the Role assignment during the service principal or managed identity preparation steps.

    In Azure Portal,

    Here are the detailed steps:

    Login with a Service Principal

    Create a GitHub Action secret AZURE_CREDENTIALS with the value like below:

    {
        "clientSecret":  "******",
        "subscriptionId":  "******",
        "tenantId":  "******",
        "clientId":  "******"
    }
    

    Now you can try the workflow to login with a service principal secret.

    # File: .github/workflows/workflow.yml
    
    on: [push]
    
    name: Run Azure Login With a Service Principal Secret
    
    jobs:
    
      build-and-deploy:
        runs-on: ubuntu-latest
        steps:
    
        - uses: azure/login@v2
          with:
            creds: ${{ secrets.AZURE_CREDENTIALS }}
    
        - name: Azure CLI script
          uses: azure/cli@v2
          with:
            azcliversion: latest
            inlineScript: |
              az account show
    

    If you want to pass subscription ID, tenant ID, client ID, and client secret as individual parameters instead of bundling them in a single JSON object to address the security concerns, below snippet can help with the same.

      - uses: azure/login@v2
        with:
          creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
    

    Reference: