Open MariusStorhaug opened 2 years ago
@MrMCake @eriqua @rahalan @mblant : I sorted out the settings on the AppReg so the OIDC config is in place.
Needs further alignment #1465
Aligning with #1085, environments will be used in GH.
Removing from upcoming release 0.7, will be worked on in the next one
Description
Removing long-lived, Azure credentials from the development environment is a key strategy to reduce vulnerabilities that hackers can easily exploit. We can now configure GitHub to deploy to Azure without creating, storing, or managing credentials for the Azure AD application (SPN), by using the Azure AD workload identity federation capability which is now GA (Build 2022 - Book of news).
The required changes seems to be:
Add Federated Identity profile on the SPN in AAD. For this we need to choose a criteria of use, i.e.:
Environment = 'Engineering'
.Add
ARM_CLIENT_ID
,ARM_TENANT_ID
andARM_SUBSCRIPTION_ID
to a new environment.Add the following sections to the workflow files:
[ ] Ensure we have the related documentation updated