Created
June 7, 2022 15:59
-
-
Save JustinGrote/2603d2ede81b23cf251978d2771b3522 to your computer and use it in GitHub Desktop.
A much faster GitHub Actions OIDC Login process than using azure/login
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.SYNOPSIS | |
Prepares the Az Module for use with an OIDC credential much more quickly than azure/login action | |
#> | |
param ( | |
$applicationId = $env:AZURE_CLIENT_ID, | |
$tenantId = $env:AZURE_TENANT_ID, | |
$subscription = $env:AZURE_SUBSCRIPTION_ID, | |
$resourceGroup = $env:AZURE_RESOURCEGROUP | |
) | |
# The default Github color for verbose is very orangeish which implies warning | |
$psstyle.Formatting.Verbose = $psstyle.Foreground.BrightCyan | |
$ErrorActionPreference = 'stop' | |
function Get-GitHubOIDCToken { | |
$oidcTokenParams = @{ | |
Uri = $env:ACTIONS_ID_TOKEN_REQUEST_URL | |
Body = @{ | |
audience = 'api://AzureADTokenExchange' | |
} | |
Authentication = 'Bearer' | |
Token = $env:ACTIONS_ID_TOKEN_REQUEST_TOKEN | ConvertTo-SecureString -AsPlainText | |
} | |
(Invoke-RestMethod @oidcTokenParams).value | |
} | |
function Set-GhEnvVar($Name, $Value) { "$Name=$Value" >> $env:GITHUB_ENV } | |
function Add-AzModuleToPath { | |
if ($isMacOS) { throw 'Not supported on MacOS' } | |
$azBasePath = $isLinux ? '/usr/share' : 'C:\Modules' | |
$azModule = Get-ChildItem -Directory "$azBasePath/az*" -ErrorAction Stop | Select-Object -Last 1 | |
$newPSModulePath = $azModule.FullName, $env:PSModulePath -join [io.path]::PathSeparator | |
$env:PSModulePath = $newPSModulePath | |
} | |
#region Main | |
$token = Get-GitHubOIDCToken | |
Add-AzModuleToPath | |
#Export to additional steps in the job | |
Set-GhEnvVar 'PSModulePath' $env:PSModulePath | |
if ($resourceGroup) { | |
$PSDefaultParameterValues['*-Az*:ResourceGroupName'] = '${{ secrets.AZURE_RESOURCEGROUP }}' | |
} | |
Clear-AzContext -Force #This is only necessary on self-hosted runners | |
$connectAzAccountParams = @{ | |
ServicePrincipal = $true | |
ApplicationId = $applicationId | |
TenantId = $tenantId | |
Subscription = $subscription | |
FederatedToken = $token | |
Environment = 'azurecloud' | |
Scope = 'CurrentUser' #Future steps can use this context, it will be thrown away at the end of run | |
WarningAction = 'SilentlyContinue' #Suppresses a warning about the client assertion saved in AzureRmContext.json | |
} | |
$context = Connect-AzAccount @connectAzAccountParams | |
if (-not $context) { throw 'Connect-AzAccount ran but no context was returned. This is probably a bug.' } | |
"Connected to $($context.Context.Account)" | |
#endregion Main |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Example Step: | |
- name: ☁️ Azure PowerShell OIDC Login | |
env: | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
AZURE_RESOURCEGROUP: ${{ secrets.AZURE_RESOURCEGROUP }} | |
run: | | |
#PowerShell Script (faster than azure/login) | |
. Scripts/Connect-AzureGithubActionsOIDC.ps1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment