The goal of this repository is demostrate how to use GitHub Actions' OpenID Connect support (https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure) and Azure DevOp's upcoming Managed Service Identity support (no link yet) to be able to securely authenticate to Azure DevOps without any secrets.

The gist of it is:

Create a service principal with a GitHub federated credential. In this example, Actions running in my repo on the main branch can impersonate this service principal.
Carefully, give this service principal access to resources in AzDO.
In Actions, add id-token: write (see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure#adding-permissions-settings)
In Actions, use azure/login@v1 to login as the service principal.
In Actions, run az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 | jq -r .accessToken to get an access token. That GUID is "Azure DevOps".
This access token can be used anywhere Bearer or Basic auth is accepeted (i.e. anywhere a PAT is accepted). See the CI for examples

Provide feedback

Saved searches