search

Azure / login

Connect to Azure
MIT License
306 stars 290 forks source link

Azure Federated Credential Subject Identifier #492

Open Ismeasures opened 3 days ago

Ismeasures commented 3 days ago

When GitHub generates the subject identifier for a federated credential on an Azure managed identity, it automatically converts the environment field to be lower case. As of August 2024 Azure requires case-matching in all fields of the subject identifier to be identical. This causes deployments to fail if a GitHub environment has a capital letter in it. For example:

The federated credential subject identifier created in Azure is:

repo:[Org_Name]/[Repo_Name]:environment:[Environment_Name]

But the subject identifier generated/used in GitHub is:

repo:[Org_Name]/[Repo_Name]:environment:[environment_name]

Due to Azure's new policy of requiring cases to match this breaks ALL deployments unless the user manually changes the subject identifier (or environment name) in Azure to be lowercase (even when the ACTUAL environment name contains uppercase letters)

Reproduce this issue:

  1. Create a managed identity on Microsoft Azure and give it a federated credential to deploy resources from GitHub Actions from an environment

  2. Make sure the environment given to the federated credential contains a capital letter

  3. Try to deploy to Azure from a GitHub Actions workflow

  4. You will receive an error saying the credential's subject identifier matches non-case sensitive wise, but does NOT match case sensitive wise

YanaXu commented 1 day ago

Hi @Ismeasures , I can't reproduce this issue.

I use "Test" as the environment name, configure it in Azure Portal and use it in my test GitHub Actions. I can see the the log of my GitHub Actions:

Federated token details:
 issuer - https://token.actions.githubusercontent.com/
 subject claim - repo:YanaXu/login-test:environment:Test

Image

Could you double check it again?

Ismeasures commented 1 day ago

Interesting, I am seeing this issue across multiple teams and it seems very clear what is going on so I'm surprised it isn't reproducible (and have verified the issue persists today). I will include screenshots so hopefully we can figure out what is going wrong.

Here is how the federated credential is setup in Azure: Image

Here are the available environments on the target repository (note we are targeting "Development": Image

When trying to deploy to Azure using that federated credential we receive this error:

AADSTS7002138: No matching federated identity record found for presented assertion subject 'repo:[Org_Name]/Finance.Shared:environment:development'. The subject matches with case-insensitive comparison, but not with case-sensitive comparison. Check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation Trace ID: 9cf75a6e-fdee-4fb1-9c2d-c09b26c21c00 Correlation ID: 50e5dc0b-f634-4586-b42a-94ba9d0ee991 Timestamp: 2024-10-25 12:29:45Z