| title | description | author | ms.author | ms.topic | ms.service | ms.date | ms.custom |
|---|---|---|---|---|---|---|---|
Authenticate to Azure from GitHub by a managed identity |
Securely authenticate to Azure services from GitHub Actions workflows using Azure Login action with a managed identity configured on a virtual machine. |
MoChilia |
shiyingchen |
reference |
azure |
07/01/2024 |
github-actions-azure, devx-track-azurecli, devx-track-azurepowershell, linux-related-content |
On a virtual machine configured with managed identities in Azure, you can sign in Azure Login action using the managed identity. You don't need to manage credentials, as they aren't accessible to you. There are two types of managed identities for you to choose: system-assigned managed identities or user-assigned managed identities.
In this tutorial, you learn how to:
[!div class="checklist"]
- Create GitHub secrets for system/user-assigned managed identity
- Set up Azure Login for system/user-assigned managed identity in GitHub Actions workflows
Note
Login with managed identity is only supported for self-hosted runners on Azure virtual machines. For other users, please refer to Sign in with OpenID Connect or Sign in with a service principal and secret.
- Create an Azure virtual machine
- Configure managed identity on the Azure virtual machine
- Install required software on the Azure virtual machine
- Configure the Azure virtual machine as a GitHub self-hosted runner
Learn how to securely authenticate to Azure services from GitHub Actions workflows using Azure Login action with system-assigned managed identity that configured on a virtual machine.
-
Open your GitHub repository and go to Settings. :::image type="content" source="media/github-repo-settings.png" alt-text="Select settings tab in GitHub repository.":::
-
Select Security > Secrets and variables > Actions > New repository secret. :::image type="content" source="media/github-repo-secrets.png" alt-text="Select Security > Secrets and variables > Actions.":::
[!NOTE] To enhance workflow security in public repositories, use environment secrets instead of repository secrets. If the environment requires approval, a job cannot access environment secrets until one of the required reviewers approves it.
-
Create secrets for
AZURE_TENANT_ID, andAZURE_SUBSCRIPTION_ID. Copy these values from your user-assigned managed identity for your GitHub secrets:GitHub secret System-assigned managed identity AZURE_SUBSCRIPTION_ID Subscription ID AZURE_TENANT_ID Directory (tenant) ID [!NOTE] For security reasons, we recommend using GitHub Secrets rather than passing values directly to the workflow.
In this example, you use the system-assigned managed identity to authenticate with Azure with the Azure login action. The example uses GitHub secrets for the subscription-id, and tenant-id values. The self-hosted runner has been labeled self-hosted on GitHub.
name: Run Azure Login with system-assigned managed identity
on: [push]
jobs:
test:
runs-on: [self-hosted] # Specify the label of your self-hosted runner here
steps:
- name: Azure login
uses: azure/login@v2
with:
auth-type: IDENTITY
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
# Azure CLI action only supports linux self-hosted runners for now.
# If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`.
- name: Azure CLI script
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |
az account show
# You can write your Azure CLI inline scripts here.
- name: Azure PowerShell script
uses: azure/powershell@v2
with:
azPSVersion: latest
inlineScript: |
Get-AzContext
# You can write your Azure PowerShell inline scripts here.Learn how to securely authenticate to Azure services from GitHub Actions workflows using Azure Login action with user-assigned managed identity that configured on a virtual machine.
-
Open your GitHub repository and go to Settings. :::image type="content" source="media/github-repo-settings.png" alt-text="Select settings tab in GitHub repository.":::
-
Select Security > Secrets and variables > Actions > New repository secret. :::image type="content" source="media/github-repo-secrets.png" alt-text="Select Security > Secrets and variables > Actions.":::
[!NOTE] To enhance workflow security in public repositories, use environment secrets instead of repository secrets. If the environment requires approval, a job cannot access environment secrets until one of the required reviewers approves it.
-
Create secrets for
AZURE_CLIENT_ID,AZURE_TENANT_ID, andAZURE_SUBSCRIPTION_ID. Copy these values from your user-assigned managed identity for your GitHub secrets:GitHub secret User-assigned managed identity AZURE_CLIENT_ID Client ID AZURE_SUBSCRIPTION_ID Subscription ID AZURE_TENANT_ID Directory (tenant) ID [!NOTE] For security reasons, we recommend using GitHub Secrets rather than passing values directly to the workflow.
In this example, you use the user-assigned managed identity to authenticate with Azure with the Azure login action. The example uses GitHub secrets for the client-id, subscription-id, and tenant-id values. The self-hosted runner has been labeled self-hosted on GitHub.
name: Run Azure Login with user-assigned managed identity
on: [push]
jobs:
test:
runs-on: [self-hosted] # Specify the label of your self-hosted runner here
steps:
- name: Azure login
uses: azure/login@v2
with:
auth-type: IDENTITY
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
# Azure CLI action only supports linux self-hosted runners for now.
# If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`.
- name: Azure CLI script
uses: azure/cli@v2
with:
azcliversion: latest
inlineScript: |
az account show
# You can write your Azure CLI inline scripts here.
- name: Azure PowerShell script
uses: azure/powershell@v2
with:
azPSVersion: latest
inlineScript: |
Get-AzContext
# You can write your Azure PowerShell inline scripts here.