Adding Azure AD and github federated credentials

create-adappgithub.ps1

# creates an appregistration in Azure AD and connects it with a github repo
# use as an example only

[CmdletBinding()]
param (
    [Parameter(Mandatory)]
    [string]
    $gitHubRepoName,
    [Parameter(Mandatory)]
    [string]
    $teamName,
    [Parameter(Mandatory)]
    [string]
    $branchName = "main"
)

$organization = "myorgltd"
$appRegistrationName = "gh-$teamName-action-sp"
$appRegistrationDescription = "Used by $teamName for enabeling GitHub actions with Azure AD OIDC authentication"
$audience = "api://AzureADTokenExchange"
$ghIssuer = "https://token.actions.githubusercontent.com/"
$federationName = "action-$gitHubRepoName"
$federationSubject = "repo:$($organization)/$($gitHubRepoName):ref:refs/heads/$($branchName)"

# check if app exists
$GhAdApp = $null
$GhAdApp = Get-AzADApplication -DisplayName $appRegistrationName

if ($GhAdApp) {
    Write-Output "App registration already exist. Adding new credential for specified repo $gitHubRepoName"
    $federatedCred = New-AzADAppFederatedCredential -ApplicationObjectId $GhAdApp.Id `
    -Audience $audience -Issuer $ghIssuer -Subject $federationSubject `
    -Name $federationName -Description "Used to authenticate pipeline in $gitHubRepoName"
}

# if app does not eist
else {
    Write-Output "adding new app registration for $teamName with credentials for $gitHubRepoName"

    $GhAdApp = New-AzADApplication -DisplayName $appRegistrationName -Description $appRegistrationDescription
    $federatedCred = New-AzADAppFederatedCredential -ApplicationObjectId $GhAdApp.Id `
    -Audience $audience -Issuer $ghIssuer -Subject $federationSubject `
    -Name $federationName -Description "Used to authenticate pipeline in $gitHubRepoName"
}

$credentialObject = [PSCustomObject]@{
    ApplicationName = "$($GhAdApp.DisplayName)"
    ApplicationObjectId = "$($GhAdApp.Id)"
}

Write-Output $credentialObject | ConvertTo-Json

create-ghsecret.ps1

# add secrets to repo

import-module PSSodium

$ghToken = "ghp_"
$headers = @{Authorization = "token " + $ghToken}

$secret = "fb4ca569-c690-4391-96d9-928e7a8fd7ff"
$repoName = "myrepo"
$organization = "myorgltd"

Invoke-RestMethod -Method get -Uri "https://api.github.com/repos/$($organization)/$($repoName)/actions/secrets" -Headers $headers


$publicKey = (Invoke-RestMethod -Method get -Uri "https://api.github.com/repos/$($organization)/$($repoName)/actions/secrets/public-key" -Headers $headers)

$encryptedSecret = ConvertTo-SodiumEncryptedString -Text $secret -PublicKey $($publicKey.key)

$secretBody = @"
{
    "encrypted_value": "$encryptedSecret",
    "key_id": "$($publicKey.key_id)"
}
"@
Invoke-RestMethod -Method Put -Uri "https://api.github.com/repos/$($organization)/$($repoName)/actions/secrets/AZURE_TENANT_ID" -Headers $headers -body $secretBody

workflow.yaml

name: 'Federated identity test'
on:
  push:
    branches:
      - main

permissions:
      id-token: write
      contents: read

jobs:
  build-and-publish:
    runs-on: ubuntu-latest
    steps:
      - name: checkout
        uses: actions/checkout@main

      - name: azure login
        uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          allow-no-subscriptions: true