Feature Area
AzPolicyLens PowerShell Modules
Problem Statement
OIDC is preferred as it avoids long-lived credentials. This is a better more secure approach. We can still have GitHub secrets for AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_SUBSCRIPTION_ID.
I used Copilot to re-write the Workflow YAML (and various scripts) to support OIDC authN, but it would be easier if the native solution supported this (versus having to maintain divergences).
Proposed Solution
The GHA workflow should support the following:
permissions:
id-token: write
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_USE_OIDC: true
jobs:
job_discovery:
name: Environment Discovery
runs-on: ubuntu-latest
steps:
- name: 'Checkout'
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: 'Initiation'
uses: ./.github/actions/templates/initiation
with:
variablesPath: '${{ env.variablesPath }}'
- name: Azure Login via OIDC
id: azure_login
uses: azure/login@v2
with:
client-id: ${{ env.ARM_CLIENT_ID }}
tenant-id: ${{ env.ARM_TENANT_ID }}
subscription-id: ${{ env.ARM_SUBSCRIPTION_ID }}OIDC-required changes
-
Enable GitHub OIDC token permission in workflow
- Added id-token write permission so GitHub Actions can request a federated token.
- Local: policy-documentation.yml:14
-
Replace upstream AZURE_CREDENTIALS secret model with OIDC env model
- Upstream uses AZURE_CREDENTIALS JSON secret injection.
- Local uses ARM_CLIENT_ID, ARM_TENANT_ID, ARM_SUBSCRIPTION_ID plus ARM_USE_OIDC true.
- Local: policy-documentation.yml:25
-
Add explicit Azure federated login step
- Added azure/login v2 with client-id, tenant-id, subscription-id wired from env.
- Local: policy-documentation.yml:44
-
Remove credential-based Azure login from discovery action template
- Upstream discovery action logs in via Azure/login with creds from AZURE_CREDENTIALS.
- Local discovery action no longer performs that creds-based login; auth is done in workflow via OIDC.
- Local: .github/actions/templates/policyDocDiscovery/action.yml
Example action.yaml file
action.yml
Alternatives Considered
No response
Breaking Change
Not sure
Additional Context
No response
Feature Area
AzPolicyLens PowerShell Modules
Problem Statement
OIDC is preferred as it avoids long-lived credentials. This is a better more secure approach. We can still have GitHub secrets for
AZURE_CLIENT_ID,AZURE_TENANT_ID, andAZURE_SUBSCRIPTION_ID.I used Copilot to re-write the Workflow YAML (and various scripts) to support OIDC authN, but it would be easier if the native solution supported this (versus having to maintain divergences).
Proposed Solution
The GHA workflow should support the following:
OIDC-required changes
Enable GitHub OIDC token permission in workflow
Replace upstream AZURE_CREDENTIALS secret model with OIDC env model
Add explicit Azure federated login step
Remove credential-based Azure login from discovery action template
Example
action.yamlfileaction.yml
Alternatives Considered
No response
Breaking Change
Not sure
Additional Context
No response