OIDC Login to US Gov Cloud Fails when enabling PS Session

[devopsjesus]

When setting the environment attribute to 'AzureUSGovernment', the following non-terminating error is thrown in the Login step:

Error: undefined. Please make sure to give write permissions to id-token in the workflow.

Despite this error being thrown, any Login step that does not set the enable-AzPSSession attribute will complete successfully. That said, any Login step that DOES set the enable-AzPSSession attribute to true will fail with the following error:

"Error": "AADSTS900382: Confidential Client is not supported in Cross Cloud request

I have created a workflow with a matrix of steps to test both Gov and Public clouds with and without PS enabled. Switching the federated credentials Entity Type between 'Pull Request' and 'Environment' does not change the outcome.

Screenshot of error below:

Workflow Code:

name: Test Azure Login with OIDC

on:
  pull_request:
    branches: [ "main" ]
  workflow_dispatch:

permissions:
  id-token: write
  contents: read

jobs:
  test-login-no-ps-ubuntu:
    runs-on: ubuntu-latest
    environment: Azure-Gov-Dev
    steps:
    - name: OIDC Login to Azure
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        environment: 'AzureUSGovernment'
    - name: 'Get resource group with az cli action'
      run: az group list

  test-login-ps-ubuntu:
    runs-on: ubuntu-latest
    environment: Azure-Gov-Dev
    steps:
    - name: OIDC Login to Azure
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        environment: 'AzureUSGovernment'
        enable-AzPSSession: true
    - name: 'Get resource group with PowerShell action'
      uses: azure/powershell@v1
      with:
        inlineScript: Get-AzResourceGroup
        azPSVersion: "latest"

  test-login-no-ps-win:
    runs-on: windows-latest
    environment: Azure-Gov-Dev
    steps:
    - name: OIDC Login to Azure
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        environment: 'AzureUSGovernment'
    - name: 'Get resource group with az cli action'
      run: az group list

  test-login-ps-win:
    runs-on: windows-latest
    environment: Azure-Gov-Dev
    steps:
    - name: OIDC Login to Azure
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        environment: 'AzureUSGovernment'
        enable-AzPSSession: true
    - name: 'Get resource group with PowerShell action'
      uses: azure/powershell@v1
      with:
        inlineScript: Get-AzResourceGroup
        azPSVersion: "latest"

  # Public cloud below
  test-login-no-ps-ubuntu-public:
    runs-on: ubuntu-latest
    environment: Azure-Public-Dev
    steps:
    - name: OIDC Login to Azure
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: 'Get resource group with az cli action'
      run: az group list

  test-login-ps-ubuntu-public:
    runs-on: ubuntu-latest
    environment: Azure-Public-Dev
    steps:
    - name: OIDC Login to Azure
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        enable-AzPSSession: true
    - name: 'Get resource group with PowerShell action'
      uses: azure/powershell@v1
      with:
        inlineScript: Get-AzResourceGroup
        azPSVersion: "latest"

  test-login-no-ps-win-public:
    runs-on: windows-latest
    environment: Azure-Public-Dev
    steps:
    - name: OIDC Login to Azure
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - name: 'Get resource group with az cli action'
      run: az group list

  test-login-ps-win-public:
    runs-on: windows-latest
    environment: Azure-Public-Dev
    steps:
    - name: OIDC Login to Azure
      uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
        enable-AzPSSession: true
    - name: 'Get resource group with PowerShell action'
      uses: azure/powershell@v1
      with:
        inlineScript: Get-AzResourceGroup
        azPSVersion: "latest"

[BALAGA-GAYATRI]

Hello @devopsjesus , Thanks for raising the issue. OIDC login is not supported for Government clouds as of now. However, can go ahead with creating SPN with rbac command as given in the readme.

Reference from the readme

OIDC support in Azure is supported only for public clouds. Support for other clouds like Government clouds, Azure Stacks will be added soon.