New Authentication Method: OIDC

[tjololo]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently the only way to authenticate with a service principal you need to use secert or certificate. It would be nice if the azurerm provider supports authenticating a Service Principal or a AzureAD App using the Azure CLI.

Use-cases Github announced OIDC Federated credentials for Github Actions. It can be used by the Azure Login action. It would be nice if azurerm also supported that scenario so you do not need a secret for deployment to Azure anymore.

See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure for details.

Issue was raised with hashicorp/terraform earlier: #29830

New or Affected Resource(s)

No resources should be affected, this only a new way to authenticate with a service principal

Potential Terraform Configuration

No changes to the terraform configuration as authentication is handled by Azure CLI

References

• hashicorp/terraform/issue#29830

[tombuildsstuff]

hi @tjololo

Thanks for opening this issue.

Whilst we have no plans to support authenticating using the Azure CLI and a Service Principal (since it behaves differently in a number of ways - and we already have a fully supported method of authenticating using a Service Principal - we should look into supporting OIDC authentication here.

Since authentication methods are handled in the upstream hashicorp/go-azure-helpers repository - I'm going to migrate this issue over to that repository for the moment.

Thanks!

[dhduvall]

This seems related to hashicorp/terraform-provider-azurerm#5271, which talks explicitly about JWT authentication, but I think this is asking for the same thing.

GitLab also issues a signed JWT for its CI runs, and I'd like to be able to use that to authenticate to Azure. I guess the workaround is to have a pre-build step that exchanges the JWT for a secret, and then makes that secret available to Terraform, but I haven't tried it yet.

Note that in this case, the need for a refresh mechanism as mentioned in the other issue isn't required, since the JWT expiration is matched to the timeout of the job.

[tombuildsstuff]

@dhduvall whilst we're looking into OIDC we have no plans to support JWT authentication - so that's out-of-scope here unfortunately.

[SudoSpartanDan]

@tombuildsstuff Is there any help your team needs with working on this? Very interested in getting this working with OIDC so we don't need secrets in GitHub or need to reach out to a secret manager.

[tombuildsstuff]

@SudoSpartanDan I may be wrong (@manicminer has the most context on auth related topics) - but I think this requires that we use MSAL rather than ADAL (which is what we'll be switching to in 3.0). There's a PR open on the Provider repo for MSAL support (which'll be feature-toggled in a 2.x release and be the only option in 3.0) - at which point I believe we should be able to add a new authentication mechanism for this (opt-in via a flag in the same way that MSI authentication works).

From the documentation it appears that the token is available via the Environment Variables ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_RUNTIME_TOKEN - so I guess that adding a new authentication mechanism which makes use of those directly, rather than requiring the use of the azure/login action is the most practical approach here?

[SudoSpartanDan]

@tombuildsstuff Yeah, makes sense. I was digging into it a bit and the Azure CLI for the federated token (aka the token provided by GitHub) gets passed as a client_assertion.

https://github.com/Azure/azure-cli/blob/47549b05a2ad4835e7e5a79176bc9600758ecf5c/src/azure-cli/azure/cli/command_modules/profile/__init__.py#L61

Which is then used to build out the API call.

https://github.com/Azure/azure-cli/blob/d7e5ede07748b423d2b03fbb8bd25b8bb2c19023/src/azure-cli-core/azure/cli/core/auth/msal_authentication.py#L93-L123

Should be pretty easy to pass those two Environment Variables ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_RUNTIME_TOKEN and hit the MSAL endpoint to auth like their Python code is doing.

[mr-twendt]

Will this also include the new Azure workload identity when running terraform on AKS?

There is go example code available here: https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-go

[capricube]

+1

[rhyspaterson]

Any traction here? I note the AzureRM provider seems to have a 3.x beta available that has moved to MSAL. Was this what you were referring to as a dependency? Can't see anything in the beta release notes about OIDC support though.

[vinvli]

Waiting for this one. Any progress?

[renenielsendk]

We also want to move to OpenId, but is currently blocked by this. +1

[anarsen]

We also want to move to OpenId, but is currently blocked by this. +1

Do a :+1: on the issue and they'll notice :)

[tarunchy]

This will be a really important feature we are waiting for secured cloud deployment for terraform. Any update will be really helpful. Thank you.

[don450p]

It seems to me it could be implemented very much like https://github.com/hashicorp/go-azure-helpers/blob/main/authentication/auth_method_client_cert.go#L30

instead using this auth method, https://github.com/manicminer/hamilton/blob/main/auth/auth.go#L64
vs the one used in that above file

This commit has files that seem to be affected by this type of change https://github.com/hashicorp/go-azure-helpers/commit/cba16438cf75356c9e849a62f9a72e1c00ce1436

I hope this is helpful, I am not talented enough to complete the implementation myself.

[kirk-spragg]

This seems related to hashicorp/terraform-provider-azurerm#5271, which talks explicitly about JWT authentication, but I think this is asking for the same thing.

GitLab also issues a signed JWT for its CI runs, and I'd like to be able to use that to authenticate to Azure. I guess the workaround is to have a pre-build step that exchanges the JWT for a secret, and then makes that secret available to Terraform, but I haven't tried it yet.

@dhduvall Have you perchance been able to try this? Also there appears to be need to exchange the JWT for a secret yourself, the az cli has a handy 'az account get-access-token' command that will do if for you, presuming of course you have authenticated with az login using the OIDC federation first.

I have been looking around but have not found any mention of using the bearer token directly for auth in the azurerm backend.

[SudoSpartanDan]

@manicminer, any updates on this? I know the provider is on 3.0, which should be able to implement this now. If you need any help, let me know!

[manicminer]

@SudoSpartanDan Thanks for the offer. I've been working on it and it'll be ready soon :)

[derkoe]

This implementation seems very GitHub-specific. GitLab now also supports OIDC but it provides the token directly in CI_JOB_JWT_V2 without calling an http endpoint.

@manicminer can the current implementation be used for GitLab as well?

References:

• https://docs.gitlab.com/ee/ci/cloud_services/
• https://gitlab.com/gitlab-org/gitlab/-/merge_requests/94461

[roelof-xomnia]

Are there any resources that show the steps needed to implement this? atm we have OIDC set up with Azure, but it is unclear how to authenticate with Terraform and Azure CLI, any pointers would be great

[tarunchy]

@roelof-xomnia please check out my repo

https://github.com/tarunchy/github-action-oidc-demo

I have provided a working example. If you like it give it star :)

[justinp-kr]

@roelof-xomnia

AzureRM Backend for Terraform, see "When authenticating using OpenID Connect (OIDC)": https://developer.hashicorp.com/terraform/language/settings/backends/azurerm

terraform {
  backend "azurerm" {
    use_oidc = true

AzureRM Provider for Terraform: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc

provider "azurerm" {
  use_oidc = true

If you use GitHub Actions, Microsoft and GitHub both have good documentation: https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Clinux https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure

Which leverage azure/login: https://github.com/azure/login#sample-workflow-that-uses-azure-login-action-using-oidc-to-run-az-cli-linux