Upload a file from a GitHub action into a storage account without having a credential in GitHub.
- Have a GitHub Action upload files into an Azure Blob Storage Account
- Do it without having sensitive information in GitHub, by using Azure Workload Identity Federation
- Show how to do it using proper GitHub Action
azure/login@v1 - Show how you could do it using blain bash and curl, if that GH action would not exist. Bonus: It shows you the actual token contents in the Actions log.
- Create an app in Azure Active Directory
- Create a federated credential for that app
- Authorize the app to be Blob Storage Data Contributor on the storage account (or the container)
- Bring the AAD tenant ID and the app's client_id into GitHub (stored as 'secrets', even though they are not secrets)
- Parametrize the values in
setup.shand run it.
| Token issuer | Claim | Value |
|---|---|---|
| GitHub | Issuer | iss="https://token.actions.githubusercontent.com" |
| GitHub | Audience | aud="api://AzureADTokenExchange" |
| GitHub | Subject | sub="repo:chgeuer/azure-workload-identity-github:ref:refs/heads/main" |
| Azure | Issuer | iss="https://sts.windows.net/mytenant.onmicrosoft.com/" |
| Azure | Audience | aud="https://storage.azure.com" |
| Azure | Subject | sub="079fd90b-a298-480a-b951-257d0974f77e" |
The Azure credential is issued by my AAD tenant, has a subject ("sub": "079fd90b-a298-480a-b951-257d0974f77e") equivalent to the service principal's Object ID:
