RBAC auth type with GitHub Open ID Connect

[melzayet]

As "functions-actions" already supports RBAC, is logging to Azure through GitHub Open ID a supported flow?

For example, app service deploy GH action does document the support for Open ID: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=openid

Basically, an Azure login action will use an SP following Open ID connect flow, then web app deploy action will use that SP

Thanks

[patelchandni]

Hey @melzayet, the support you are asking for is under a separate task: Azure/login@v1. So, that task will have same behavior across all workflows. Here are some samples:

1. https://github.com/Azure/login#sample-workflow-that-uses-azure-login-action-using-oidc-to-run-az-powershell-windows
2. https://github.com/Azure/login#sample-workflow-that-uses-azure-login-action-using-oidc-to-run-az-cli-linux

[melzayet]

thanks @patelchandni! Azure/login@v1 already supports workload federated identity, but I wanted to know if Azure/functions@v1 would support a service principal that was logged in with Azure/login@v1 using the workload federated identity model

[github-actions[bot]]

This issue is idle because it has been open for 14 days with no activity.

[Mandur]

We are also interested in the workload federation identity support

[github-actions[bot]]

This issue is idle because it has been open for 14 days with no activity.

[tjcorr]

I think the question here is if I do an Azure/login step beforehand will this action reuse the credentials there to do the publishing without the need for a user to specify a publish-profile?

This would allow for a user to use OIDC to do the login process and then never have to store any credentials in GitHub.

[tjcorr]

I just did a test and was able to deploy using OIDC just fine. Here is a sample of my workflow:

on: 
  push:

permissions:
  id-token: write
  contents: read

jobs:
  build-publish:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout
      uses: actions/checkout@v3

    - name: Az CLI login
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

    - name: Function Publish
      uses: Azure/functions-action@v1
      with:
        app-name: ....
        package: ...

[akbast]

I can also confirm that it is working as described by @tjcorr. But I am facing the issue #116 from time to time

[Mandur]

Yes, the solution from @tjcorr worked for me as well, Thank you !