Skip to content

Instantly share code, notes, and snippets.

@ehrnst
Created August 24, 2022 11:58
Show Gist options
  • Save ehrnst/8a167340be24781eb85259962709ddef to your computer and use it in GitHub Desktop.
Save ehrnst/8a167340be24781eb85259962709ddef to your computer and use it in GitHub Desktop.
Adding Azure AD and github federated credentials
# creates an appregistration in Azure AD and connects it with a github repo
# use as an example only
[CmdletBinding()]
param (
[Parameter(Mandatory)]
[string]
$gitHubRepoName,
[Parameter(Mandatory)]
[string]
$teamName,
[Parameter(Mandatory)]
[string]
$branchName = "main"
)
$organization = "myorgltd"
$appRegistrationName = "gh-$teamName-action-sp"
$appRegistrationDescription = "Used by $teamName for enabeling GitHub actions with Azure AD OIDC authentication"
$audience = "api://AzureADTokenExchange"
$ghIssuer = "https://token.actions.githubusercontent.com/"
$federationName = "action-$gitHubRepoName"
$federationSubject = "repo:$($organization)/$($gitHubRepoName):ref:refs/heads/$($branchName)"
# check if app exists
$GhAdApp = $null
$GhAdApp = Get-AzADApplication -DisplayName $appRegistrationName
if ($GhAdApp) {
Write-Output "App registration already exist. Adding new credential for specified repo $gitHubRepoName"
$federatedCred = New-AzADAppFederatedCredential -ApplicationObjectId $GhAdApp.Id `
-Audience $audience -Issuer $ghIssuer -Subject $federationSubject `
-Name $federationName -Description "Used to authenticate pipeline in $gitHubRepoName"
}
# if app does not eist
else {
Write-Output "adding new app registration for $teamName with credentials for $gitHubRepoName"
$GhAdApp = New-AzADApplication -DisplayName $appRegistrationName -Description $appRegistrationDescription
$federatedCred = New-AzADAppFederatedCredential -ApplicationObjectId $GhAdApp.Id `
-Audience $audience -Issuer $ghIssuer -Subject $federationSubject `
-Name $federationName -Description "Used to authenticate pipeline in $gitHubRepoName"
}
$credentialObject = [PSCustomObject]@{
ApplicationName = "$($GhAdApp.DisplayName)"
ApplicationObjectId = "$($GhAdApp.Id)"
}
Write-Output $credentialObject | ConvertTo-Json
# add secrets to repo
import-module PSSodium
$ghToken = "ghp_"
$headers = @{Authorization = "token " + $ghToken}
$secret = "fb4ca569-c690-4391-96d9-928e7a8fd7ff"
$repoName = "myrepo"
$organization = "myorgltd"
Invoke-RestMethod -Method get -Uri "https://api.github.com/repos/$($organization)/$($repoName)/actions/secrets" -Headers $headers
$publicKey = (Invoke-RestMethod -Method get -Uri "https://api.github.com/repos/$($organization)/$($repoName)/actions/secrets/public-key" -Headers $headers)
$encryptedSecret = ConvertTo-SodiumEncryptedString -Text $secret -PublicKey $($publicKey.key)
$secretBody = @"
{
"encrypted_value": "$encryptedSecret",
"key_id": "$($publicKey.key_id)"
}
"@
Invoke-RestMethod -Method Put -Uri "https://api.github.com/repos/$($organization)/$($repoName)/actions/secrets/AZURE_TENANT_ID" -Headers $headers -body $secretBody
name: 'Federated identity test'
on:
push:
branches:
- main
permissions:
id-token: write
contents: read
jobs:
build-and-publish:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@main
- name: azure login
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
allow-no-subscriptions: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment