[Feature Request] BREAKING change: Authenticate to Azure from GH with OpenID Connect

[MariusStorhaug]

Description

Removing long-lived, Azure credentials from the development environment is a key strategy to reduce vulnerabilities that hackers can easily exploit. We can now configure GitHub to deploy to Azure without creating, storing, or managing credentials for the Azure AD application (SPN), by using the Azure AD workload identity federation capability which is now GA (Build 2022 - Book of news).

1.7.2. GITHUB OPENID CONNECT WITH AZURE AD WORKLOAD IDENTITY FEDERATION NOW AVAILABLE

GitHub OpenID Connect (OIDC) with Azure Active Directory (Azure AD) workload identity federation, now generally available, minimizes the need for storing and accessing secrets. The new capabilities alleviate the need for managing Azure service principal secrets and other long-lived cloud credentials in the GitHub Actions secret store.

With this integration, users can manage all cloud resource access securely in Azure. These capabilities also minimize the chances of service downtime due to expired credentials in GitHub. Customers can integrate with developer platforms, like GitHub Actions, to build apps swiftly and securely. With workload identity federation, Azure AD removes the secrets necessary to access resources in selected scenarios – adding another layer of security and removing the burden of secret management.

Learn more about this update.

The required changes seems to be:

• Add Federated Identity profile on the SPN in AAD. For this we need to choose a criteria of use, i.e.: Environment = 'Engineering'.

• Add ARM_CLIENT_ID, ARM_TENANT_ID and ARM_SUBSCRIPTION_ID to a new environment.

• Add the following sections to the workflow files:

  permissions:
    id-token: write
    contents: read
  
  ...
  
  environment: Engineering   # we need to decide on this ofc

• [ ] Ensure we have the related documentation updated

[MariusStorhaug]

@MrMCake @eriqua @rahalan @mblant : I sorted out the settings on the AppReg so the OIDC config is in place.

[rahalan]

Needs further alignment #1465

[MariusStorhaug]

Aligning with #1085, environments will be used in GH.

[eriqua]

Removing from upcoming release 0.7, will be worked on in the next one