Federated Credentials for GitHub fails with CLi 2.42

[ezYakaEagle442]

az feedback auto-generates most of the information requested below, as of CLI version 2.0.62

Related command

export CREDENTIAL_NAME="gha_aca_run"
export GH_USER_NAME="yourGitHubAccount"
export SUBJECT="repo:$GH_USER_NAME/aca-java-petclinic-mic-srv:ref:refs/heads/main" # "repo:organization/repository:environment:Production"
export DESCRIPTION="GitHub Action Runner for Petclinic ACA demo"

echo $SPN_OBJECT_ID # to check its value

az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/$SPN_OBJECT_ID/federatedIdentityCredentials' --body '{"name":"$CREDENTIAL_NAME","issuer":"https://token.actions.githubusercontent.com","subject":"$SUBJECT","description":"$DESCRIPTION","audiences":["api://AzureADTokenExchange"]}'

Bad Request({"error":{"code":"BadRequest","message":"The request URI is not valid. Since the segment 'applications' refers to a collection, this must be the last segment in the req
uest URI or it must be followed by an function or action that can be bound to it otherwise all intermediate segments must refer to a single resource.","innerError":{"date":"2023-01
-30T17:36:25","request-id":"13ced77d-517c-4416-81ab-d90a59f816ea","client-request-id":"13ced77d-517c-4416-81ab-d90a59f816ea"}}})

Describe the bug

To Reproduce

export CREDENTIAL_NAME="gha_aca_run"
export GH_USER_NAME="yourGitHubAccount"
export SUBJECT="repo:$GH_USER_NAME/aca-java-petclinic-mic-srv:ref:refs/heads/main" # "repo:organization/repository:environment:Production"
export DESCRIPTION="GitHub Action Runner for Petclinic ACA demo"

az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/$SPN_OBJECT_ID/federatedIdentityCredentials' --body '{"name":"$CREDENTIAL_NAME","issuer":"https://token.actions.githubusercontent.com","subject":"$SUBJECT","description":"$DESCRIPTION","audiences":["api://AzureADTokenExchange"]}'

Expected behavior Based on the docs CLI should work

Environment summary From VS Code / WSL :

az version
{
  "azure-cli": "2.42.0",
  "azure-cli-core": "2.42.0",
  "azure-cli-telemetry": "1.0.8",
  "extensions": {}
}

Additional context

I could sucessfully create Federated Credentials from the Portal using the same values. Note: I use an MS FTE Tenant (named AppInnoLabs) with external subscription

[ezYakaEagle442]

Also the pre-req mentionned in the docs were missing ;

az role assignment create --role contributor --subscription ${SUBSCRIPTION_ID} --assignee-object-id $SPN_OBJECT_ID --assignee-principal-type ServicePrincipal --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RG_KV}

az role assignment create --role contributor --subscription ${SUBSCRIPTION_ID} --assignee-object-id $SPN_OBJECT_ID --assignee-principal-type ServicePrincipal --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RG_APP}

but fails with

Principals of type Application cannot validly be used in role assignments.

[ezYakaEagle442]

GH Runner fails with

Error: Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows

it does even not displays the log message shown in the docs : 'Using OIDC authentication ...'

[ezYakaEagle442]

the permissions were missing :

# required for https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux#set-up-azure-login-with-openid-connect-authentication
permissions:
  id-token: write
  contents: read

I have add them and now the az cli runs correctly in the workflow :

Using OIDC authentication...
Federated token details: 
 issuer - https://token.actions.githubusercontent.com/ 
 subject claim - repo:ezYakaEagle442/aca-java-petclinic-mic-srv:ref:refs/heads/main
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Login successful.

The initial issue is still there : I could create Federated Credentials for GitHub from the portal only, not from CLI

[yonzhan]

@jiasli for awareness

[navba-MSFT]

Adding Service team to look into this.

[ezYakaEagle442]

I hit the same error with CLI 2.45.0 @yonzhan can I have an update on that one please ?