Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to use the Azure CLI as a service principal, so that it can be used with GitHub OIDC #16856

Closed
1 task done
OmpahDev opened this issue May 18, 2022 · 2 comments
Closed
1 task done

Add ability to use the Azure CLI as a service principal, so that it can be used with GitHub OIDC #16856

OmpahDev opened this issue May 18, 2022 · 2 comments

Comments

@OmpahDev
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'm trying to use GitHub Actions to run Terragrunt to deploy Azure resources.

For security reasons, I'm trying to implement a solution that does not require any sensitive secrets or certificates to be stored in GitHub as variables, so we implemented OIDC login for GitHub (see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services) to authenticate to Azure directly as a service principal.

However, with this approach, using Terraform is impossible, because azurerm fails with the error:
"│ Error: Error building ARM Config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal)."

When I follow the documentation, it seems that azurerm only supports using Service Principals if you're using client certificates or client secrets... but the whole point of using OIDC is to avoid using those in the first place!

This is a pretty big limitation as it effectively means that GitHub-Azure OIDC cannot be used with Terraform.

New or Affected Resource(s)/Data Source(s)

N/A (all)

Potential Terraform Configuration

No response

References

No response
@OmpahDev
Copy link
Author

Oops. I was searching for "GitHub" when looking over existing issues instead of "OIDC" and didn't realize there is in fact an open PR for this one right now.

#16555

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 18, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@OmpahDev