Setting Up OIDC Auth For Azure Login and Terraform
Description
So almost every example you will see online for connecting to Azure or Terraform is to use a Service Principal. I have shown this a couple times, but here is one I point people to often. Anways, there appears to be multiple ways you can authenticate with Azure/Terraform and I want to go through what I did to setup OIDC Auth.
To Resolve:
-
First, let’s tackle azure login because that is straight forward:
- Basically, they list the ways to connect via OIDC auth but to summarize:
- Create a Service Principal
- Navigate to it in Azure AD
- Go to “Federated Credentials” blade
- Click
Add
- For organization, choose your org:
AutomationAdmin-Com
in my case - For repo, choose your repo:
sic.template
in my case - For Entity type, you have a few options like
Environment, branch, PR, Tag
, I always chooseEnvironment
- For Github Name you have to specify from the previous selection the selector. For example, environement has to match the Github Environment you will deploy from in your workflow, branch has to match a branch, etc. I chose
production
which I will show you shortly. - For name, you just give a unique name for the credential: I chose
sic-template-env-prod
.
-
Next, inside my sic.template repo, I added these 3 required secrets for the action:
${/{ secrets.CLIENT_ID }}
,${/{ secrets.TENANT_ID }}
, and${/{ secrets.SUB_ID }}
where SUB_ID is just one of my Azure Subscriptionsid
property, it doesn’t matter which one.- NOTE: Jekyll Liquid Filters clash with Github Variables so replace all instances of
${/{
by removing the forward slash :)
- NOTE: Jekyll Liquid Filters clash with Github Variables so replace all instances of
- Next, in my Github Actions workflow, I had to enable 2 things:
- First, I had to set
id-token: write
permission - Next, I had to set environment to
production
even though my deployments won’t always target production as seen in my main template post ( or part 2 ).
- First, I had to set
-
OK, so we can now get past Azure Login as seen in the logs from a most recent run:
1 2 3 4 5 6 7 8
Run azure/login@v1 Using OIDC authentication... Federated token details: issuer - https://token.actions.githubusercontent.com subject claim - repo:AutomationAdmin-Com/sic.template:environment:production /usr/bin/az cloud set -n azurecloud Done setting cloud: "azurecloud" Login successful.
-
Next, we need to set Terraform to know about OIDC Auth. Thankfully, this is documented well in the provider docs. To summarize:
- Remove any passing of
client_secret
as a secret to terraform and remove the variable altogether fromvariables.tf
or any other place. - Next, in your providers, just replace that reference with
use_oidc = true
everywhere you would have used client_secret. That’s it! - You can verify by going to any of my
backend.tf
files
- Remove any passing of
- What I haven’t tested yet is verifying the providers that get built get passed correctly but I know terraform doesn’t error so I assume the providers build correctly. Will need to remember to update this later once I test!
Comments