This repository contains a demo of using GitHub Actions with Federated/ODIC Authentication to pull a secret from Azure Key Vault.
The GitHub Action authenticates to Azure as a service principal; however, instead of managing secrets in GitHub, this implements Federated Authentication with OIDC.
Documentation:
- Configuring OpenID Connect in Azure - GitHub Docs
- Authenticate to Azure from GitHub Action workflows | Microsoft Learn
- Fork this repository
- Configure Azure infrastructure (see: Infrastructure Configuration)
- Service Principal
- Key Vault
- Role assignment
- Set up GitHub secrets for Actions (see: GitHub Configuration)
- Execute Action
The Action runs manully from the Actions tab in this repository.
The Action steps are defined in get-azure-secrets.yml.
- Azure Login: Logs into Azure CLI with Federated Credentials (OIDC). This eliminates the need to manage a client ID and secret.
- Get Secrets: This will fetch additional secrets from Azure Key Vault, using the identity from the Login step.
- Show Secrets: This will output the secrets from the Get Secrets step, showing that the
secret2value is masked.
The log will show a result, one of a plaintext secret1 value and the other of a masked secret2 value:
secret1: value1
secret2: ***
If you wish to fork and run this demo in your environment, you will need to provision a Key Vault in Azure and grant the service principal used in Actions the Key Vault Secrets User role or assign the appropriate legacy Key Vault access policy.
Documentation:
You can reference or use the deploy.sh script in this repository to assist with setting up a demo environment.
GitHub Actions will also expect the following secrets to be configured in the repository:
AZURE_TENANT_ID: The tenant ID for your Azure environmentAZURE_CLIENT_ID: Your Azure service principal client IDAZURE_SUBSCRIPTION_ID: Your Azure subscription IDAZURE_KEY_VAULT_NAME: The name of the Azure Key Vault
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent