Update README.md (#173 )

2026-03-15 09:20:56 -04:00 · 2021-11-17 12:55:25 +05:30
6 changed files with 67 additions and 94 deletions
--- a/README.md
+++ b/README.md
@@ -23,9 +23,11 @@ With the [Azure Login](https://github.com/Azure/login/blob/master/action.yml) Ac

 Note: 
   - Ensure the CLI version is 2.30 or above to use OIDC support.
-   - OIDC support in Azure is supported only for public clouds. Support for other clouds like Government clouds, Azure Stacks would be added soon. 
+   - OIDC support in Azure is in Public Preview and is supported only for public clouds. Support for other clouds like Government clouds, Azure Stacks would be added soon. 
+   - GitHub runners will soon be updating the with the Az CLI and PowerShell versions that support with OIDC. Hence the below sample workflows include explicit instructions to download the same during workflow execution. 
   - By default, Azure access tokens issued during OIDC based login could have limited validity. This expiration time is configurable in Azure.

+
 ## Sample workflow that uses Azure login action to run az cli

 ```yaml
@@ -207,23 +209,16 @@ Follow the steps to configure Azure Service Principal with a secret:

  # The command should output a JSON object similar to this:

- 
  {
    "clientId": "<GUID>",
-    "clientSecret": "<STRING>",
+    "clientSecret": "<GUID>",
    "subscriptionId": "<GUID>",
    "tenantId": "<GUID>",
-    "resourceManagerEndpointUrl": "<URL>"
    (...)
  }
  
 ```
  * Now in the workflow file in your branch: `.github/workflows/workflow.yml` replace the secret in Azure login action with your secret (Refer to the example above)
-  * Note: The above `az ad sp create-for-rbac` command will give you the `--sdk-auth` deprecation warning. As we are working with CLI for this deprecation process, we strongly recommend users to use this `--sdk-auth` flag as the result dictionary output changes and not accepted by login action if `--sdk-auth` is not used.
-
-### Manually creating the Credentials object
-
-If you already created and assigned a Service Principal in Azure you can manually create the .json object above by finding the `clientId` and `clientSecret` on the Service Principal, and your `subscriptionId` and `tenantId` of the subscription and tenant respectively. The `resourceManagerEndpointUrl` will be `https://management.azure.com/` if you are using the public Azure cloud.

 ### Configure a service principal with a Federated Credential to use OIDC based authentication:

@@ -231,16 +226,13 @@ If you already created and assigned a Service Principal in Azure you can manuall
 You can add federated credentials in the Azure portal or with the Microsoft Graph REST API.

 #### Azure portal
-1. [Register an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) in Azure Portal
-2. Within the registered application, Go to **Certificates & secrets**.  
-3. In the **Federated credentials** tab, select **Add credential**.  
-4. The **Add a credential** blade opens.
-5. In the **Federated credential scenario** box select **GitHub actions deploying Azure resources**.
-6. Specify the **Organization** and **Repository** for your GitHub Actions workflow which needs to access the Azure resources scoped by this App (Service Principal) 
-7. For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value, based on how you have configured the trigger for your GitHub workflow. For a more detailed overview, see [GitHub OIDC guidance]( https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#defining-[…]dc-claims). 
-8. Add a **Name** for the federated credential.
-9. Click **Add** to configure the federated credential.
-10. Make sure the above created application has the `contributor` access to the provided subscription. Visit [role-based-access-control](https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current#prerequisites) for more details.
+1. Go to **Certificates and secrets**.  In the **Federated credentials** tab, select **Add credential**.  
+1. The **Add a credential** blade opens.
+1. In the **Federated credential scenario** box select **GitHub actions deploying Azure resources**.
+1. Specify the **Organization** and **Repository** for your GitHub Actions workflow which needs to access the Azure resources scoped by this App (Service Principal) 
+1. For **Entity type**, select **Environment**, **Branch**, **Pull request**, or **Tag** and specify the value, based on how you have configured the trigger for your GitHub workflow. For a more detailed overview, see [GitHub OIDC guidance]( https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#defining-[…]dc-claims). 
+1. Add a **Name** for the federated credential.
+1. Click **Add** to configure the federated credential.

 For a more detailed overview, see more guidance around [Azure Federated Credentials](https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation-create-trust-github). 

@@ -252,19 +244,19 @@ For a more detailed overview, see more guidance around [Azure Federated Credenti
    Run the following command to [create a new federated identity credential](https://docs.microsoft.com/en-us/graph/api/application-post-federatedidentitycredentials?view=graph-rest-beta&preserve-view=true) on your app (specified by the object ID of the app). Substitute the values `APPLICATION-OBJECT-ID`, `CREDENTIAL-NAME`, `SUBJECT`. The options for subject refer to your request filter. These are the conditions that OpenID Connect uses to determine when to issue an authentication token.  
    * specific environment
        ```azurecli
-        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:environment:Production","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com/","subject":"repo:octo-org/octo-repo:environment:Production","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
        ```
    * pull_request events
       ```azurecli
-        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:pull_request","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com/","subject":"repo:octo-org/octo-repo:pull-request","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
        ```
    * specific branch
       ```azurecli
-        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:ref:refs/heads/{Branch}","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com/","subject":"repo:octo-org/octo-repo:ref:refs/heads/{Branch}","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
        ```
    * specific tag
       ```azurecli
-        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com","subject":"repo:octo-org/octo-repo:ref:refs/heads/{Tag}","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
+        az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/<APPLICATION-OBJECT-ID>/federatedIdentityCredentials' --body '{"name":"<CREDENTIAL-NAME>","issuer":"https://token.actions.githubusercontent.com/","subject":"repo:octo-org/octo-repo:ref:refs/heads/{Tag}","description":"Testing","audiences":["api://AzureADTokenExchange"]}' 
        ```

 ## Support for using `allow-no-subscriptions` flag with az login
@@ -296,6 +288,7 @@ This action doesn't implement ```az logout``` by default at the end of execution
 - name: Azure CLI script
  uses: azure/CLI@v1
  with:
+    azcliversion: 2.0.72
    inlineScript: |
      az logout
      az cache purge
--- a/action.yml
+++ b/action.yml
@@ -34,5 +34,5 @@ branding:
  icon: 'login.svg'
  color: 'blue'
 runs:
-  using: 'node16'
+  using: 'node12'
  main: 'lib/main.js'
--- a/lib/PowerShell/Constants.js
+++ b/lib/PowerShell/Constants.js
@@ -5,7 +5,7 @@ class Constants {
 exports.default = Constants;
 Constants.prefix = "az_";
 Constants.moduleName = "Az.Accounts";
-Constants.versionPattern = /[0-9]+\.[0-9]+\.[0-9]+/;
+Constants.versionPattern = /[0-9]\.[0-9]\.[0-9]/;
 Constants.AzureCloud = "AzureCloud";
 Constants.Subscription = "Subscription";
 Constants.ServicePrincipal = "ServicePrincipal";
--- a/lib/main.js
+++ b/lib/main.js
@@ -1,14 +1,14 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function (o, m, k, k2) {
    if (k2 === undefined) k2 = k;
-    Object.defineProperty(o, k2, { enumerable: true, get: function() { return m[k]; } });
-}) : (function(o, m, k, k2) {
+    Object.defineProperty(o, k2, { enumerable: true, get: function () { return m[k]; } });
+}) : (function (o, m, k, k2) {
    if (k2 === undefined) k2 = k;
    o[k2] = m[k];
 }));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function (o, v) {
    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
+}) : function (o, v) {
    o["default"] = v;
 });
 var __importStar = (this && this.__importStar) || function (mod) {
@@ -40,20 +40,22 @@ function main() {
    return __awaiter(this, void 0, void 0, function* () {
        try {
            //Options for error handling
+            let commandStdErr = false;
            const loginOptions = {
                silent: true,
+                ignoreReturnCode: true,
+                failOnStdErr: true,
                listeners: {
                    stderr: (data) => {
                        let error = data.toString();
-                        let startsWithWarning = error.toLowerCase().startsWith('warning');
-                        let startsWithError = error.toLowerCase().startsWith('error');
-                        // printing ERROR
-                        if (error && error.trim().length !== 0 && !startsWithWarning) {
-                            if (startsWithError) {
                        //removing the keyword 'ERROR' to avoid duplicates while throwing error
+                        if (error.toLowerCase().startsWith('error')) {
                            error = error.slice(5);
                        }
-                            core.setFailed(error);
+                        // printing error
+                        if (error && error.trim().length !== 0) {
+                            commandStdErr = true;
+                            core.error(error);
                        }
                    }
                }
@@ -132,19 +134,15 @@ function main() {
            // OIDC specific checks
            if (enableOIDC) {
                console.log('Using OIDC authentication...');
-                try {
                //generating ID-token
                let audience = core.getInput('audience', { required: false });
                federatedToken = yield core.getIDToken(audience);
                if (!!federatedToken) {
                    if (environment != "azurecloud")
                        throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
-                        let [issuer, subjectClaim] = yield jwtParser(federatedToken);
-                        console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
                }
-                }
-                catch (error) {
-                    core.error(`${error.message.split(':')[1]}. Please make sure to give write permissions to id-token in the workflow.`);
+                else {
+                    throw new Error("Could not get ID token for authentication.");
                }
            }
            // Attempting Az cli login
@@ -190,7 +188,6 @@ function main() {
                commonArgs = commonArgs.concat("--federated-token", federatedToken);
            }
            else {
-                console.log("Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.");
                commonArgs = commonArgs.concat("-p", servicePrincipalKey);
            }
            yield executeAzCliCommand(`login`, true, loginOptions, commonArgs);
@@ -214,10 +211,10 @@ function main() {
        }
        catch (error) {
            if (!isAzCLISuccess) {
-                core.setFailed(`Az CLI Login failed with ${error}. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows`);
+                core.setFailed("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
            }
            else {
-                core.setFailed(`Azure PowerShell Login failed with ${error}. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
+                core.setFailed(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
            }
        }
        finally {
@@ -233,12 +230,4 @@ function executeAzCliCommand(command, silent, execOptions = {}, args = []) {
        yield exec.exec(`"${azPath}" ${command}`, args, execOptions);
    });
 }
-function jwtParser(federatedToken) {
-    return __awaiter(this, void 0, void 0, function* () {
-        let tokenPayload = federatedToken.split('.')[1];
-        let bufferObj = Buffer.from(tokenPayload, "base64");
-        let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
-        return [decodedPayload['iss'], decodedPayload['sub']];
-    });
-}
 main();
--- a/src/PowerShell/Constants.ts
+++ b/src/PowerShell/Constants.ts
@@ -1,7 +1,7 @@
 export default class Constants {
    static readonly prefix: string = "az_";
    static readonly moduleName: string = "Az.Accounts";
-    static readonly versionPattern = /[0-9]+\.[0-9]+\.[0-9]+/;
+    static readonly versionPattern = /[0-9]\.[0-9]\.[0-9]/;

    static readonly AzureCloud: string = "AzureCloud";
    static readonly Subscription: string = "Subscription";
--- a/src/main.ts
+++ b/src/main.ts
@@ -12,20 +12,22 @@ var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREP
 async function main() {
    try {
        //Options for error handling
+        let commandStdErr = false;
        const loginOptions: ExecOptions = {
            silent: true,
+            ignoreReturnCode: true,
+            failOnStdErr: true,
            listeners: {
                stderr: (data: Buffer) => {
                    let error = data.toString();
-                    let startsWithWarning = error.toLowerCase().startsWith('warning');
-                    let startsWithError = error.toLowerCase().startsWith('error');
-                    // printing ERROR
-                    if (error && error.trim().length !== 0 && !startsWithWarning) {
-                        if(startsWithError) {
                    //removing the keyword 'ERROR' to avoid duplicates while throwing error
+                    if (error.toLowerCase().startsWith('error')) {
                        error = error.slice(5);
                    }
-                        core.setFailed(error);
+                    // printing error
+                    if (error && error.trim().length !== 0) {
+                        commandStdErr = true;
+                        core.error(error);
                    }
                }
            }
@@ -110,19 +112,15 @@ async function main() {
        // OIDC specific checks
        if (enableOIDC) {
            console.log('Using OIDC authentication...')
-            try {
            //generating ID-token
            let audience = core.getInput('audience', { required: false });
            federatedToken = await core.getIDToken(audience);
            if (!!federatedToken) {
                if (environment != "azurecloud")
                    throw new Error(`Your current environment - "${environment}" is not supported for OIDC login.`);
-                    let [issuer, subjectClaim] = await jwtParser(federatedToken);
-                    console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
            }
-            }
-            catch (error) {
-                core.error(`${error.message.split(':')[1]}. Please make sure to give write permissions to id-token in the workflow.`);
+            else {
+                throw new Error("Could not get ID token for authentication.");
            }
        }

@@ -174,7 +172,6 @@ async function main() {
            commonArgs = commonArgs.concat("--federated-token", federatedToken);
        }
        else {
-            console.log("Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.")
            commonArgs = commonArgs.concat("-p", servicePrincipalKey);
        }
        await executeAzCliCommand(`login`, true, loginOptions, commonArgs);
@@ -209,10 +206,10 @@ async function main() {
    }
    catch (error) {
        if (!isAzCLISuccess) {
-            core.setFailed(`Az CLI Login failed with ${error}. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
+            core.setFailed("Az CLI Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows");
        }
        else {
-            core.setFailed(`Azure PowerShell Login failed with ${error}. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
+            core.setFailed(`Azure PowerShell Login failed. Please check the credentials. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows"`);
        }
    }
    finally {
@@ -230,10 +227,4 @@ async function executeAzCliCommand(
    execOptions.silent = !!silent;
    await exec.exec(`"${azPath}" ${command}`, args, execOptions);
 }
-async function jwtParser(federatedToken: string) {
-    let tokenPayload = federatedToken.split('.')[1];
-    let bufferObj = Buffer.from(tokenPayload, "base64");
-    let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
-    return [decodedPayload['iss'], decodedPayload['sub']];
-}
 main();