Created
August 24, 2022 11:58
-
-
Save ehrnst/8a167340be24781eb85259962709ddef to your computer and use it in GitHub Desktop.
Adding Azure AD and github federated credentials
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# creates an appregistration in Azure AD and connects it with a github repo | |
# use as an example only | |
[CmdletBinding()] | |
param ( | |
[Parameter(Mandatory)] | |
[string] | |
$gitHubRepoName, | |
[Parameter(Mandatory)] | |
[string] | |
$teamName, | |
[Parameter(Mandatory)] | |
[string] | |
$branchName = "main" | |
) | |
$organization = "myorgltd" | |
$appRegistrationName = "gh-$teamName-action-sp" | |
$appRegistrationDescription = "Used by $teamName for enabeling GitHub actions with Azure AD OIDC authentication" | |
$audience = "api://AzureADTokenExchange" | |
$ghIssuer = "https://token.actions.githubusercontent.com/" | |
$federationName = "action-$gitHubRepoName" | |
$federationSubject = "repo:$($organization)/$($gitHubRepoName):ref:refs/heads/$($branchName)" | |
# check if app exists | |
$GhAdApp = $null | |
$GhAdApp = Get-AzADApplication -DisplayName $appRegistrationName | |
if ($GhAdApp) { | |
Write-Output "App registration already exist. Adding new credential for specified repo $gitHubRepoName" | |
$federatedCred = New-AzADAppFederatedCredential -ApplicationObjectId $GhAdApp.Id ` | |
-Audience $audience -Issuer $ghIssuer -Subject $federationSubject ` | |
-Name $federationName -Description "Used to authenticate pipeline in $gitHubRepoName" | |
} | |
# if app does not eist | |
else { | |
Write-Output "adding new app registration for $teamName with credentials for $gitHubRepoName" | |
$GhAdApp = New-AzADApplication -DisplayName $appRegistrationName -Description $appRegistrationDescription | |
$federatedCred = New-AzADAppFederatedCredential -ApplicationObjectId $GhAdApp.Id ` | |
-Audience $audience -Issuer $ghIssuer -Subject $federationSubject ` | |
-Name $federationName -Description "Used to authenticate pipeline in $gitHubRepoName" | |
} | |
$credentialObject = [PSCustomObject]@{ | |
ApplicationName = "$($GhAdApp.DisplayName)" | |
ApplicationObjectId = "$($GhAdApp.Id)" | |
} | |
Write-Output $credentialObject | ConvertTo-Json |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# add secrets to repo | |
import-module PSSodium | |
$ghToken = "ghp_" | |
$headers = @{Authorization = "token " + $ghToken} | |
$secret = "fb4ca569-c690-4391-96d9-928e7a8fd7ff" | |
$repoName = "myrepo" | |
$organization = "myorgltd" | |
Invoke-RestMethod -Method get -Uri "https://api.github.com/repos/$($organization)/$($repoName)/actions/secrets" -Headers $headers | |
$publicKey = (Invoke-RestMethod -Method get -Uri "https://api.github.com/repos/$($organization)/$($repoName)/actions/secrets/public-key" -Headers $headers) | |
$encryptedSecret = ConvertTo-SodiumEncryptedString -Text $secret -PublicKey $($publicKey.key) | |
$secretBody = @" | |
{ | |
"encrypted_value": "$encryptedSecret", | |
"key_id": "$($publicKey.key_id)" | |
} | |
"@ | |
Invoke-RestMethod -Method Put -Uri "https://api.github.com/repos/$($organization)/$($repoName)/actions/secrets/AZURE_TENANT_ID" -Headers $headers -body $secretBody | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Federated identity test' | |
on: | |
push: | |
branches: | |
- main | |
permissions: | |
id-token: write | |
contents: read | |
jobs: | |
build-and-publish: | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout | |
uses: actions/checkout@main | |
- name: azure login | |
uses: azure/login@v1 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
allow-no-subscriptions: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment