Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Azure/login github action always looks for 'environment' entity type despite specifying other entity types in app registration
See original GitHub issueHello, I’m trying to use ‘OIDC federated credentials’ using app registration -> federation credentials. Azue/login github actions always looks for entity type ‘environment’ despite specifying other entity type such as ‘pull_request’.
If I specify ‘environment’ in entity_type in app registration, the github actions works:
Run azure/login@v1
with:
client-id: <client-id>
subscription-id: <sub-id>
tenant-id: <tenant-id>
enable-AzPSSession: false
environment: azurecloud
allow-no-subscriptions: false
audience: api://AzureADTokenExchange
Using OIDC authentication...
Federated token details:
issuer - https://token.actions.githubusercontent.com
subject claim - repo:<org/repo>:environment:terraform-demo
If I specify any other type of ‘entity type’, the github action still looks for enviornment entity type as below:
Run azure/login@v1
Using OIDC authentication...
Federated token details:
issuer - https://token.actions.githubusercontent.com
subject claim - repo:<org/repo>:environment:terraform-demo
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Error: : AADSTS70021: No matching federated identity record found for presented assertion. Assertion Issuer: 'https://token.actions.githubusercontent.com'. Assertion Subject: 'repo:<org/repo>:environment:terraform-demo'. Assertion Audience: 'api://AzureADTokenExchange'.
Trace ID: 3940b0d0-43bf-4048-a7bb-8fea435ab300
Correlation ID: 58e6c5ab-e623-4b92-9a53-a9b0ce85ee6d
Timestamp: 2022-01-15 10:55:55Z
Issue Analytics
- State:
- Created 2 years ago
- Reactions:1
- Comments:14 (1 by maintainers)
Top Results From Across the Web
Azure Login · Actions · GitHub Marketplace
For Entity type, select Environment, Branch, Pull request, or Tag and specify the value, based on how you have configured the trigger for...
Read more >Using GitHub Actions and OpenID Connect to deploy Static ...
This is the name of the GitHub repository under which your GitHub action will be running. Entity Type: Environment. There are several options ......
Read more >Connect GitHub and Azure | Microsoft Learn
A GitHub Actions workflow that requests GitHub issue tokens to the workflow, and uses the Azure login action. Create an Azure Active Directory ......
Read more >GitHub Actions authentication methods for Azure
Overview. When you work with GitHub Actions and start to write and develop automation workflows you will sometimes need to connect your ...
Read more >Another deep dive into Azure AD Workload Identity Federation ...
We start by registering a new app registration in Azure AD, ... find that the issuer is always https://token.actions.githubusercontent.com, ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Just for reference , here is the doc that clarifies the point @kchandra548 mentioned above : https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#filtering-for-pull_request-events
@pavanm-huma assuming the above comments and referred docs helped you with azure login action and closing this issue. Feel free to reopen this issue if are still facing the problem. We will be happy to help you.