Last active
April 22, 2024 23:05
-
-
Save timheuer/d397bcd418c718801140c688a71caf77 to your computer and use it in GitHub Desktop.
Script to execute the full set of instructions to wire up OIDC to a GitHub repo with Azure identities for an Azure App Service deployment
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| param( | |
| [Parameter(Mandatory = $true, HelpMessage = "Your Azure subscription ID")] | |
| [string]$subscriptionId, | |
| [Parameter(Mandatory = $true, HelpMessage = "The name of the managed identity")] | |
| [string]$managedIdName, | |
| [Parameter(Mandatory = $true, HelpMessage = "The name of the resource group")] | |
| [string]$resourceGroupName, | |
| [Parameter(Mandatory = $true, HelpMessage = "The organization and repo name in org/repo format")] | |
| [string]$repoOrgAndName, | |
| [Parameter(Mandatory = $true, HelpMessage = "The name of the resource")] | |
| [string]$resourceName | |
| ) | |
| # Ask the user if they are using an environment | |
| $usingEnvironment = Read-Host "Are you using an environment? (y/n)" | |
| # Check user's response | |
| if ($usingEnvironment -eq "y") { | |
| # If yes, ask for the environment name | |
| $environmentName = Read-Host "Please enter the environment name" | |
| $repoSubject = "repo:" + $repoOrgAndName + ":environment:" + $environmentName | |
| } else { | |
| # If no, use the default ref | |
| $repoSubject = "repo:" + $repoOrgAndName + ":ref:refs/heads/main" | |
| } | |
| #$repoSubject = "repo:" + $repoOrgAndName + ":ref:refs/heads/main" | |
| $fedCredName = $managedIdName + "-fedcred" | |
| $resourceId = "/subscriptions/$subscriptionId/resourceGroups/$resourceGroupName/providers/Microsoft.Web/sites/$resourceName" | |
| Write-Host "Inputs..." -ForegroundColor Green | |
| Write-Host "Subscription ID: " -NoNewLine -ForegroundColor Green | |
| Write-Host $subscriptionId | |
| Write-Host "Managed Identity Name: " -NoNewLine -ForegroundColor Green | |
| Write-Host $managedIdName | |
| Write-Host "Resource Group Name: " -NoNewLine -ForegroundColor Green | |
| Write-Host $resourceGroupName | |
| Write-Host "Repo Subject: " -NoNewLine -ForegroundColor Green | |
| Write-Host $repoSubject | |
| Write-Host "Federated Credential Name: " -NoNewLine -ForegroundColor Green | |
| Write-Host $fedCredName | |
| Write-Host "Resource Name: " -NoNewLine -ForegroundColor Green | |
| Write-Host $resourceName | |
| Write-Host "Resource ID: " -NoNewLine -ForegroundColor Green | |
| Write-Host $resourceId | |
| Write-Host "" | |
| az account set --subscription $subscriptionId | |
| $identityCreate = az identity create --name $managedIdName --resource-group $resourceGroupName | ConvertFrom-Json | |
| Write-Host $identityCreate | |
| Write-Host "" | |
| $clientId = $identityCreate.clientId | |
| $principalId = $identityCreate.principalId | |
| $tenantId = $identityCreate.tenantId | |
| $managedIdObjectId = $principalId | |
| az identity federated-credential create --name $fedCredName --identity-name $managedIdName --resource-group $resourceGroupName --issuer https://token.actions.githubusercontent.com --subject $repoSubject --audiences "api://AzureADTokenExchange" | |
| Write-Host "" | |
| az role assignment create --assignee-object-id $managedIdObjectId --assignee-principal-type "ServicePrincipal" --role "Website Contributor" --scope $resourceId | ConvertFrom-Json | |
| # Write out the values for Client ID, Principal ID, Tenant ID | |
| Write-Host "" | |
| Write-Host "Store these in your GitHub repo secrets..." -ForegroundColor Green | |
| Write-Host "AZURE_CLIENT_ID: $clientId" -ForegroundColor Green | |
| Write-Host "AZURE_TENANT_ID: $tenantId" -ForegroundColor Green | |
| Write-Host "AZURE_SUBSCRIPTION_ID: $subscriptionId" -ForegroundColor Green |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment