I’ve set up Workload identity federation. Basically like this:
var applicationRegistrationDisplayName = 'GitHub Actions Application Deployer.'
var githubOIDCProvider = 'https://token.actions.githubusercontent.com'
var microsoftEntraAudience = 'api://AzureADTokenExchange'
var applicationRegistrationName = 'app-deployer'
resource GithubActionsApplication 'Microsoft.Graph/[email protected]' = {
uniqueName: applicationRegistrationName
displayName: applicationRegistrationDisplayName
resource githubFederatedIdentityCredential '[email protected]' = {
name: '${GithubActionsApplication.uniqueName}/githubFederatedIdentityCredential'
audiences: [microsoftEntraAudience]
description: 'Identity for application to deploy the root infrastructure.'
issuer: githubOIDCProvider
subject: GitHubActionsFederatedIdentitySubject
}
}
resource githubActionsServicePrincipal 'Microsoft.Graph/[email protected]' = {
displayName: applicationRegistrationDisplayName
appId: GithubActionsApplication.appId
}
Then I added Managed Identity Federated Credentials from GitHub should be from trusted repository owners Azure BuiltIn Policy definition, since I was I thinking I should restrict allowed repositories across any possible federated identity trying to connect.
I’m however unsure now that what should be put into the allowedRepoOwners
array. So, here are the questions in my mind:
- If I have a organization like
https://github.com/<organizationX>
, should I add therehttps://github.com/<organizationX>
or maybeorganizationX
? - Would this one addition on a e.g. some management on group level be enough to limit all repositories underneath this owner? E.g. repositories in
https://github.com/<organizationX>/<RepoA>
,https://github.com/<organizationX>/<RepoB>
?
It has occurred to me to just try out, but I’m also thinking how to read definitions like this to pull out information like this. Then also that maybe there is chance to improve documentation a bit, but I don’t know where to do that.