oliverlabs · March 24, 2023 17:14
diff --git a/workload-identity.azcli b/workload-identity.azcli
 ## Create a workload identity based on an existing SP

 # STEP 1 - Create a workload identity

 #  Define variables for your GitHub username and your repository name.
 #  !!! IMPORTANT !!!---------->>> Make sure to change all parameters in brackets <>

 githubOrganizationName='<orgname>'     # <-------------- UPDATE THIS VALUE
 githubRepositoryName='<github-repository-name>' # <-------------- UPDATE THIS VALUE

 # Define an existing service principal (application (client) id)
 id='<sp app (client) id>' # <-------------- UPDATE THIS VALUE

 # STEP 2 - Create a workload identity for your deployments workflow (aka app registration)

 # Fetch the details of the SP and extract the object id and app id
 applicationRegistrationDetails=$(az ad app show --id $id)
 applicationRegistrationObjectId=$(echo $applicationRegistrationDetails | jq -r '.id')
 applicationRegistrationAppId=$(echo $applicationRegistrationDetails | jq -r '.appId')

 # Create federated credential

 fedCredName=<fed-cred-name> # <-------------- UPDATE THIS VALUE

 az ad app federated-credential create \
   --id $applicationRegistrationObjectId \
   --parameters "{\"name\":\"${fedCredName}\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:ref:refs/heads/main\",\"audiences\":[\"api://AzureADTokenExchange\"]}"

 # STEP 3 - Create a resource group in Azure and grant the workload identity access to it (using a service principal)

 resourceGroupResourceId=$(az group create --name <rg-name> --location westeurope --query id --output tsv)

 az ad sp create --id $applicationRegistrationObjectId
 az role assignment create \
   --assignee $applicationRegistrationAppId \
   --role Contributor \
   --scope $resourceGroupResourceId

 # STEP 4 - Prepare GitHub Secrets

 echo "AZURE_CLIENT_ID: $applicationRegistrationAppId"
 echo "AZURE_TENANT_ID: $(az account show --query tenantId --output tsv)"
 echo "AZURE_SUBSCRIPTION_ID: $(az account show --query id --output tsv)"

 # Prepare variables for the GitHub Secrets
 AZURE_CLIENT_ID=$applicationRegistrationAppId
 AZURE_TENANT_ID=$(az account show --query tenantId --output tsv)
 AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv)

 # Set GitHub Secrets using GitHub CLI
 gh secret set AZURE_CLIENT_ID -b $AZURE_CLIENT_ID -R ${githubOrganizationName}/${githubRepositoryName}
 gh secret set AZURE_TENANT_ID -b $AZURE_TENANT_ID -R ${githubOrganizationName}/${githubRepositoryName}
 gh secret set AZURE_SUBSCRIPTION_ID -b $AZURE_SUBSCRIPTION_ID -R ${githubOrganizationName}/${githubRepositoryName}
	## Create a workload identity based on an existing SP

	# STEP 1 - Create a workload identity

	# Define variables for your GitHub username and your repository name.
	# !!! IMPORTANT !!!---------->>> Make sure to change all parameters in brackets <>

	githubOrganizationName='<orgname>' # <-------------- UPDATE THIS VALUE
	githubRepositoryName='<github-repository-name>' # <-------------- UPDATE THIS VALUE

	# Define an existing service principal (application (client) id)
	id='<sp app (client) id>' # <-------------- UPDATE THIS VALUE

	# STEP 2 - Create a workload identity for your deployments workflow (aka app registration)

	# Fetch the details of the SP and extract the object id and app id
	applicationRegistrationDetails=$(az ad app show --id $id)
	applicationRegistrationObjectId=$(echo $applicationRegistrationDetails \| jq -r '.id')
	applicationRegistrationAppId=$(echo $applicationRegistrationDetails \| jq -r '.appId')

	# Create federated credential

	fedCredName=<fed-cred-name> # <-------------- UPDATE THIS VALUE

	az ad app federated-credential create \
	--id $applicationRegistrationObjectId \
	--parameters "{\"name\":\"${fedCredName}\",\"issuer\":\"https://token.actions.githubusercontent.com\",\"subject\":\"repo:${githubOrganizationName}/${githubRepositoryName}:ref:refs/heads/main\",\"audiences\":[\"api://AzureADTokenExchange\"]}"

	# STEP 3 - Create a resource group in Azure and grant the workload identity access to it (using a service principal)

	resourceGroupResourceId=$(az group create --name <rg-name> --location westeurope --query id --output tsv)

	az ad sp create --id $applicationRegistrationObjectId
	az role assignment create \
	--assignee $applicationRegistrationAppId \
	--role Contributor \
	--scope $resourceGroupResourceId

	# STEP 4 - Prepare GitHub Secrets

	echo "AZURE_CLIENT_ID: $applicationRegistrationAppId"
	echo "AZURE_TENANT_ID: $(az account show --query tenantId --output tsv)"
	echo "AZURE_SUBSCRIPTION_ID: $(az account show --query id --output tsv)"

	# Prepare variables for the GitHub Secrets
	AZURE_CLIENT_ID=$applicationRegistrationAppId
	AZURE_TENANT_ID=$(az account show --query tenantId --output tsv)
	AZURE_SUBSCRIPTION_ID=$(az account show --query id --output tsv)

	# Set GitHub Secrets using GitHub CLI
	gh secret set AZURE_CLIENT_ID -b $AZURE_CLIENT_ID -R ${githubOrganizationName}/${githubRepositoryName}
	gh secret set AZURE_TENANT_ID -b $AZURE_TENANT_ID -R ${githubOrganizationName}/${githubRepositoryName}
	gh secret set AZURE_SUBSCRIPTION_ID -b $AZURE_SUBSCRIPTION_ID -R ${githubOrganizationName}/${githubRepositoryName}
No results found