Skip to content

Instantly share code, notes, and snippets.

Created August 24, 2022 11:58
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Adding Azure AD and github federated credentials
# creates an appregistration in Azure AD and connects it with a github repo
# use as an example only
param (
$branchName = "main"
$organization = "myorgltd"
$appRegistrationName = "gh-$teamName-action-sp"
$appRegistrationDescription = "Used by $teamName for enabeling GitHub actions with Azure AD OIDC authentication"
$audience = "api://AzureADTokenExchange"
$ghIssuer = ""
$federationName = "action-$gitHubRepoName"
$federationSubject = "repo:$($organization)/$($gitHubRepoName):ref:refs/heads/$($branchName)"
# check if app exists
$GhAdApp = $null
$GhAdApp = Get-AzADApplication -DisplayName $appRegistrationName
if ($GhAdApp) {
Write-Output "App registration already exist. Adding new credential for specified repo $gitHubRepoName"
$federatedCred = New-AzADAppFederatedCredential -ApplicationObjectId $GhAdApp.Id `
-Audience $audience -Issuer $ghIssuer -Subject $federationSubject `
-Name $federationName -Description "Used to authenticate pipeline in $gitHubRepoName"
# if app does not eist
else {
Write-Output "adding new app registration for $teamName with credentials for $gitHubRepoName"
$GhAdApp = New-AzADApplication -DisplayName $appRegistrationName -Description $appRegistrationDescription
$federatedCred = New-AzADAppFederatedCredential -ApplicationObjectId $GhAdApp.Id `
-Audience $audience -Issuer $ghIssuer -Subject $federationSubject `
-Name $federationName -Description "Used to authenticate pipeline in $gitHubRepoName"
$credentialObject = [PSCustomObject]@{
ApplicationName = "$($GhAdApp.DisplayName)"
ApplicationObjectId = "$($GhAdApp.Id)"
Write-Output $credentialObject | ConvertTo-Json
# add secrets to repo
import-module PSSodium
$ghToken = "ghp_"
$headers = @{Authorization = "token " + $ghToken}
$secret = "fb4ca569-c690-4391-96d9-928e7a8fd7ff"
$repoName = "myrepo"
$organization = "myorgltd"
Invoke-RestMethod -Method get -Uri "$($organization)/$($repoName)/actions/secrets" -Headers $headers
$publicKey = (Invoke-RestMethod -Method get -Uri "$($organization)/$($repoName)/actions/secrets/public-key" -Headers $headers)
$encryptedSecret = ConvertTo-SodiumEncryptedString -Text $secret -PublicKey $($publicKey.key)
$secretBody = @"
"encrypted_value": "$encryptedSecret",
"key_id": "$($publicKey.key_id)"
Invoke-RestMethod -Method Put -Uri "$($organization)/$($repoName)/actions/secrets/AZURE_TENANT_ID" -Headers $headers -body $secretBody
name: 'Federated identity test'
- main
id-token: write
contents: read
runs-on: ubuntu-latest
- name: checkout
uses: actions/checkout@main
- name: azure login
uses: azure/login@v1
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
allow-no-subscriptions: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment