Azure US Government OIDC #298
Comments
|
There is an open PR on this issue #258. Waiting on approval of the PR since November |
BALAGA-GAYATRI
added
question
|
@jamesseiwert Ideally it should throw an error saying Govt clouds are not supported. Can you share more details if you are using a forked version of the action where you are bypassing that condition. Please share your workflow yaml for better understanding. Coming to the support for Govt clouds we are following up and will get back to you with more info. |
|
@BALAGA-GAYATRI sorry for the delay. The workflow is simple and the login appears to work just with the false positive error. Below is the workflow file we are doing and at the end we can do a simple print out of all resource groups. `
|
|
Can you please add the below permissions for OIDC token and check the logs once. |
|
@BALAGA-GAYATRI we do have those permissions in the workflow |
|
https://github.com/Azure/login/blob/master/src/main.ts#L116 |
|
This issue is idle because it has been open for 14 days with no activity. |
|
We are using this in both Github.com and Github Enterprise |
|
This issue is idle because it has been open for 14 days with no activity. |
|
not stale, Gov users matter! ❤️ |
|
Hello, can we have an update on this issue? We are trying to move to OIDC authentication as recommended by the DoD Reference Architecture for DevSecOps, but have run into this same issue. Noting the documentation has read that government cloud support is coming 'soon' but this issue itself is now months old, presumably outside the definition of 'soon.' Thanks 😃 |
|
@MoChilia - Any update you can provide? |
|
Hi @jamesseiwert! I have submitted pr #321 to fix this issue. Once this pr is merged, we will plan a release for it so that the OIDC authentication for sovereign clouds will be supported. |
|
Closing this issue for now. It has been solved by #321. |
|
@MoChilia this change does not seem to address powershell login as mentioned in #248. Specifically:
name: Test Azure powershell login with OIDC
on:
workflow_dispatch:
permissions:
id-token: write
contents: read
jobs:
test-oidc-login-ps
runs-on: ubuntu-latest
environment: Azure-Gov-Dev # valid environment
steps:
- name: OIDC Login to Azure
uses: azure/login@master # I built lib/main.js from master
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
environment: 'AzureUSGovernment'
enable-AzPSSession: true # works if this is not included |
|
@danelson , could you open a new issue and provide this workflow & the debug log of your workflow? |
and others
When using OIDC in azure government an error is thrown on login but still works successfully
Using OIDC authentication...
Error: undefined. Please make sure to give write permissions to id-token in the workflow.
/usr/bin/az cloud set -n azureusgovernment
WARNING: Switched active cloud to 'AzureUSGovernment'.
WARNING: Use 'az login' to log in to this cloud.
WARNING: Use 'az account set' to set the active subscription.
Done setting cloud: "azureusgovernment"
Login successful.
The workflow has the permissions set as well
permissions:
id-token: write
contents: read
The text was updated successfully, but these errors were encountered: