Create Azure credentials for use in GitHub Actions

Azure Apr 5, 2022

On of the things you can do with GitHub Actions is connect with your Azure subscription.  You can interact with your Azure resources, deploy Azure resources and a lot more.

In order to be able to use GitHub Actions with your Azure subscription you need to create that service connection.  To do that you need to create an Azure Service Principal and store the credentials inside a GitHub Actions secret.

Create the Service Principal

The first step to creating that connection between GitHub Actions and Azure is by creating a Service Principal.  You can do that a few ways:

The quickest way and easiest way I've found to create this Service Principal is to use Azure CloudShell and issue the command:

New-AzADServicePrincipal -DisplayName "GitHubActionsConnection"

Now we have the Service Principal created we need to create a secret/password that can be used to log in with.  For this we need to head to the Azure Portal.  Go to

Azure Portal > Azure Active Directory > App Registrations

Azure AD App registrations
Azure AD App registrations

Click on "All Applications" and click on your newly created Service Principal.

INSERT SCREENSHOT

Now click on "Certificates & Secrets" and click on "New Client Secret".

New Client Secret
New Client Secret

You get the option to set how long this secret will be available for, please use your organisations best practices here.

Permissions

We now need to give this Service Principal rights to either a resource group or subscription.  In this example I am going to set up permissions for this Service Principal over my subscription.

To do that I go into the Azure Portal > Subscriptions and select the subscription.

Now I click on Access Control (IAM) down the left hand side.

Then clicking on Add to create a new role assignment.

Azure Access Control settings
Azure Access Control settings

You'll have the option of assigning a number of permissions to the Service Principal. I am going to assign Contributor permissions here and then select the new Service Principal as a member.

Azure AD IAM Permissions
Azure AD IAM Permissions

Once the permissions have been applied, it's time to collect all the information to store it inside GitHub for use within the workflows.

Collect Service Principal information

To store the information inside a GitHub actions secret it needs to be stored within a JSON format.  We can run this PowerShell subscription in order to collect all the information you will need for GitHub and in the form that GitHub needs it.

# Fill in the information information with the Service Principal Name you created and your Azure Subscription Name. 

$ServicePrincipalName = "GitHubActionsConnection"
$AzSubscriptionName = "Name_of_your_subscription"

Connect-AzureAD

$Subscription = (Get-AzSubscription -SubscriptionName $AzSubscriptionName)
$ServicePrincipal = Get-AzADServicePrincipal -DisplayName $ServicePrincipalName
$AzureADApplication = Get-AzureADApplication -SearchString $ServicePrincipalName

$OutputObject = [PSCustomObject]@{
    clientId = $ServicePrincipal.AppId
    clientSecret = (New-AzureADApplicationPasswordCredential -ObjectId $AzureADApplication.ObjectId).Value
    subscriptionId = $Subscription.Id
    tenantId = $Subscription.TenantId
}

$OutputObject | ConvertTo-Json

Store Azure Credentials in GitHub Secrets

Take a copy of the output from the PowerShell query.  This will be stored inside a GitHub Secret for use within your workflows.

Within the repository where your workflow is click on Settings > Secrets > Actions and then click on new repository secret.

GitHub Secrets settings
GitHub Secrets settings

Give the new secret a name, I usually go with "Azure_Credentials" and then take the output from the PowerShell script and paste it into the value section.

Use the Azure login action

Now you have the Service Principal set up and the information stored inside GitHub Secrets it's time to start using that information.

Within your workflow you can use the Azure Login action and call that secret information.  

You can continue to build on the workflow from there. 👍

on: [push]

name: AzureLogin

jobs:
  build-and-deploy:
    runs-on: windows-latest
    steps:
      - name: Log in with Azure
        uses: azure/login@v1
        with:
          creds: '${{ secrets.AZURE_CREDENTIALS }}'

Tags

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.