Incorporated OIDC for authenticating towards Azure in GH Action

Author: hvalfangst

.github/workflows/deploy_to_azure.yml

@@ -48,6 +48,9 @@ jobs:
     environment:
       name: 'Production'
       url: ${{ steps.deploy-to-function.outputs.webapp-url }}
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Download artifact from build job
         uses: actions/download-artifact@v4
@@ -57,10 +60,12 @@ jobs:
       - name: Unzip artifact for deployment
         run: unzip release.zip
 
-      - name: Login to Azure using Service Principal
-        uses: azure/login@v1
+      - name: Login to Azure with OIDC
+        uses: azure/login@v2
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Deploy to Azure Functions
         uses: Azure/functions-action@v1
@@ -103,6 +108,9 @@ jobs:
   deploy-react:
     runs-on: ubuntu-latest
     needs: build-react
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Download React build artifact
         uses: actions/download-artifact@v4
@@ -112,10 +120,12 @@ jobs:
       - name: Unzip React build
         run: unzip build.zip
 
-      - name: Login to Azure using service principal
-        uses: azure/login@v1
+      - name: Login to Azure with OIDC
+        uses: azure/login@v2
         with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
 
       - name: Deploy React build to Azure Static Website

README.md

@@ -4,8 +4,9 @@ This [static web app](client/src/App.js), built with the React framework, enable
 Once uploaded, a blob-triggered Azure Function processes the files to calculate correlations between various variables, such as experience, state, gender, and income. The computed statistics are then stored in a separate storage blob (**out**). 
 These functions are implemented in the python script [function_app.py](hvalfangst_function/function_app.py); which is the main entrypoint of our Azure Function App instance.
 
-A branch-triggered pipeline has been set up to deploy the function app and the static web app to Azure using a GitHub Actions Workflow [script](.github/workflows/deploy_to_azure.yml). A service principal has been created as part of the resource provisioning script, which is used
-to authenticate our requests in said pipeline script. It is therefore important to set the associated GitHub secrets in the repository settings.
+A branch-triggered pipeline has been set up to deploy the function app and the static web app to Azure using a GitHub Actions Workflow [script](.github/workflows/deploy_to_azure.yml).
+A service principal assigned to a federated credential has been created as part of the [resource provisioning script](infra/allocate_resources.sh), which is used to authenticate our requests in said pipeline script. 
+It is therefore important to set the associated GitHub secrets in the repository settings (more on this in below).
 
 
 
@@ -43,10 +44,6 @@ graph TD
 ```
 
 ## GitHub secrets
-As touched upon earlier, the GitHub secret **AZURE_CREDENTIALS** must be set in the repository settings. This secret comprises a JSON object containing the service principal credentials.
-It is generated by the Azure CLI command `az ad sp create-for-rbac`, which
-was executed as part of our [resource provisioning script](infra/allocate_resources.sh). The resulting terminal output of said command needs to be copy/pasted to the secret field.
-Again, it is used to authenticate our requests in the [GitHub Actions Workflow script](.github/workflows/deploy_to_azure.yml) as contributor access to the resource group is necessary
-in order to deploy our function and static web app. There are many ways to do this, but this is obviously a simple example.
-
-![img_2.png](img_2.png)
+When inspecting the **Login to Azure with OIDC** step in our **deploy** stage associated with our [GitHub Actions Workflow script](.github/workflows/deploy_to_azure.yml), it is evident
+that three secrets are required. These are the **AZURE_CLIENT_ID**, **AZURE_TENANT_ID**, and **AZURE_SUBSCRIPTION_ID** and 
+must be set in the repository settings. 

img.png

@@ -59,12 +59,23 @@ fi
 
 # Create service principal used by GitHub Actions, the returned JSON is stored as secret in the GitHub repository
 echo -e "${YELLOW}Creating service principal...${RESET}"
-az ad sp create-for-rbac --name hvalfangst-github-actions-sp --role contributor --scopes /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP}
+SP_APP_ID=$(az ad sp create-for-rbac --name hvalfangst-github-actions-sp --role contributor --scopes /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${RESOURCE_GROUP} --query "appId" -o tsv)
 if [ $? -ne 0 ]; then
     echo -e "${RED}Failed to create service principal.${RESET}"
     exit 1
 fi
 
+# Add federated credential to Azure AD application
+echo -e "${YELLOW}Adding federated credential to Azure AD application...${RESET}"
+az ad app federated-credential create --id ${SP_APP_ID} --parameters '{
+  "name": "GitHubActionsFederatedCred",
+  "issuer": "https://token.actions.githubusercontent.com",
+  "subject": "repo:hvalfangst/azure-static-react-website-triggering-functions:ref:refs/heads/main",
+  "audiences": [
+    "api://AzureADTokenExchange"
+  ]
+}'
+
 # Set up our storage container to serve static website with default index and 404 page
 echo -e "${YELLOW}Setting up static website...${RESET}"
 az storage blob service-properties update \