login icon indicating copy to clipboard operation
login copied to clipboard
verified publisher icon Azure

Add support of workload identity based authorization

Open KernelPryanic opened this issue 3 years ago • 6 comments

Hello! We're using self-hosted GitHub runners and it would be really nice to have OIDC utilizing the configured workload identity on the runner pod.

KernelPryanic avatar Jan 26 '23 11:01 KernelPryanic

This issue is idle because it has been open for 14 days with no activity.

github-actions[bot] avatar Feb 15 '23 12:02 github-actions[bot]

Hi @KernelPryanic ,

We don't have a plan to support AKS pod-identity or workload-identity right now. Could you share more details about your workflow settings with us, to help us understand your situation better? E.g., the reason to choose AKS instead of normal VMs, how you use AKS to run GitHub Aciton in your daily work, etc. Thanks.

YanaXu avatar May 31 '23 10:05 YanaXu

Currently, azure-cli does not seem to support it directly: https://github.com/Azure/azure-cli/issues/26858

They mention a workaround:

az login --federated-token "$(cat $AZURE_FEDERATED_TOKEN_FILE)" --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID

BenjaminHerbert avatar Jul 17 '23 14:07 BenjaminHerbert

@BenjaminHerbert Thanks. Yes, you're right. It's not supported yet.

YanaXu avatar Jul 18 '23 01:07 YanaXu

how to get this azure_federate_token_file for the shell script task in the azure devops? i need to get this value using the federated service conection details.

Veljen avatar Mar 11 '24 21:03 Veljen