blog/using-oidc-github-actions-azure-swa/

[giscus[bot]]

blog/using-oidc-github-actions-azure-swa/

Back in November, GitHub announced its OpenID Connect capability for cloud deployments was generally available. This has been on my list to try out, and I finally managed to get around to it! With scenarios like this, I prefer to do something real and hands-on, rather than mocked, or a proof of concept. I decided to refactor my GitHub Action workflows for cloudwithchris.com, removing the need for secrets stored in GitHub. In this post, I outline my journey through this.

https://www.cloudwithchris.com/blog/using-oidc-github-actions-azure-swa/

[chrisreddington]

Want to join in the discussion? You can do that in two ways! You can either authorize the giscus app to post on your behalf using the GitHub OAuth flow. Alternatively, you can comment in GitHub Discussions directly if you'd prefer not to grant access to the giscus app.

Please keep the discussion on topic with the post.

[kkgthb]

You know what's super annoying from an infosec perspective, @chrisreddington , besides the points you made in Conclusion?

That Microsoft also didn't include the Microsoft.Web/staticSites/listSecrets/action operation in the Website Contributor built-in role the way they added Microsoft.Web/sites/* operations to Website Contributor, so you have to give your OIDC service principal that your GitHub Action is using an insanely broad built-in role (or create and maintain a teeny-tiny custom role) to be able to run az staticwebapp secrets list in GitHub Actions.