How can I login to azcopy on Github Actions with an OIDC Federated Identity?
I have succesfully logged into Azure on a Github Actions workflow using an OpenID Connect Federated Identity credential. This Service Principal works across two subscriptions in the same tenant:
- name: Azure login with OIDC
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
environment: "AzureCloud"
allow-no-subscriptions: true
However, I'd ultimately like to use this login with azcopy. We had previously used a SAS token, which worked, but we have a growing team and we want to make things more resilient by having a credential that doesn't have to rotate and won't be exposed to many different eyes.
The following code does not work:
- name: Azure login with OIDC
uses: azure/login@v2
env:
AZCOPY_AUTO_LOGIN_TYPE: SPN
AZCOPY_SPA_APPLICATION_ID: ${{ secrets.CLIENT_ID }}
AZCOPY_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
with:
client-id: ${{ secrets.CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
environment: "AzureCloud"
allow-no-subscriptions: true
- name: Check azcopy login status
env:
AZCOPY_AUTO_LOGIN_TYPE: SPN # I've also tried AZCLI
AZCOPY_SPA_APPLICATION_ID: ${{ secrets.CLIENT_ID }}
AZCOPY_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
run: |
azcopy login status --tenant --endpoint
While the first step runs just fine, azcopy login status returns with an error:
How might I authenticate to azcopy after succesfully authenticating to az?
Some success criteria I am looking for:
- I should be able to use
azcopy login statusbefore attempting an actual azcopy operation to confirm that I am logged in. - I should ultimately be able to use my OIDC-enabled Service Principal in Github Actions, but a proof of concept using a client-secret or certificate locally, perhaps without Github Actions, would be helpful too. As such I am not married to the idea of using the Azure Login action, I'd be happy to swap to the
az cliif that's more reliable. I would just from there want a good explanation of how I'd convert this local workflow to Github Actions.
I was very close originally. Thanks to this blog post by Tim Jacomb I was able to login to azcopy with an OIDC federated identity:
https://blog.timja.dev/using-azcopy-in-github-actions-with-federated-credentials/
Summary:
Making use of azcopy's auto-login, afaik, is the only way to use OIDC credentials when using azcopy with a Service Principal.
- The azcopy cli allows for various methods of authenticating via Service Principal, but OIDC is not one of them.
- The az cli as well as the Azure Login action, however, DO work with OIDC, and thus you need to first login with one of those and then auto-login to azcopy using environment variables and your target azcopy command.
Summary of modifications:
- I had other issues offscreen that were causing the AZCLI option for AZCOPY_AUTO_LOGIN_TYPE to not work. This is indeed the correct flag.
- allow-no-subscriptions: true when logging into az does not work with azcopy, as far as I can tell. I've removed that and replaced it with the subscription id for the resources with which I'm going to use the Service Principal.
- Only set the environment variables on the step you're going to use them.
- name: Azure login with OIDC
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Copy file to Azure Blob Storage
env:
AZURE_STORAGE_ACCOUNT: your-storage-account-name
AZURE_CONTAINER_NAME: example
AZCOPY_AUTO_LOGIN_TYPE: AZCLI # This is the auto login type you want
AZCOPY_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} # Don't forget this
run: |
echo ""
azcopy sync "." "https://$AZURE_STORAGE_ACCOUNT.file.core.windows.net/$AZURE_CONTAINER_NAME/"
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions