it:ad:github:workflows:steps:howto:sign_in_to_azure:home

IT:AD:Github:Workflows:Steps:HowTo:Sign In To Azure

Summary

Prerequisites

  • An Azure [Client] App Id has been registered in AAD.
  • A secret has been assigned to the Client.

Arrange

  • Collect together:
    • Azure Subscription Id
    • Azure AAD (Entra) Id
    • [App] Client Id
      • [App] Client Secret
  • Use all 4 parts to make a JSON Fragment:
{
    "subscriptionId":  "******",
    "tenantId":  "******",
    "clientId":  "******"
    "clientSecret":  "******",
}
  • Save it as a GitHub secret, Giving it a name of your choice, like AZURE_CREDS.

Act

Use it to sign in to Azure as follows: 

    - uses: azure/login@v2
      with:
        creds: ${{ secrets.AZURE_CREDS }}

Options

By default login only logs in using Azure CLI.

To log in with the Azure Powershell module: 

    - uses: azure/login@v2
      with:
        creds: ${{ secrets.AZURE_CREDS }}
        enable-AzPSSession: true

An alternate solution, if you don't want to make the JSON fragment first is as follows: 

  - uses: azure/login@v2
    with:
      creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'

or make an env var first (although, could it bleed)? 

az ad sp create-for-rbac --name {app-name} --role contributor --scopes /subscriptions/{subscription-id}/resourceGroups/exampleRG --json-auth

Resources

* https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-github-actions?tabs=CLI%2Cuserlevel

  • /home/skysigal/public_html/data/pages/it/ad/github/workflows/steps/howto/sign_in_to_azure/home.txt
  • Last modified: 2024/04/28 05:01
  • by skys