Use a workload identity from a GitHub Actions workflow

  • 2 minutes

After you create a workload identity and assign it access to your Azure environment, it's time to use it in your GitHub Actions workflow. In this unit, you learn about the two changes that you need to make to your workflow definition.

Allow the workflow to request tokens

You need to allow your deployment workflow to request tokens. In your workflow, add the permissions property:

permissions:
  id-token: write
  contents: read

Sign in to Azure

Your deployment workflow uses the azure/login action to sign in to Azure. When you use a workload identity, you need to specify three inputs:

Input Description
client-id The application ID for the application registration. Be sure to use the application ID and not the object ID.
tenant-id The unique identifier for your Microsoft Entra tenant (directory).
subscription-id The Azure subscription ID that you'll deploy to.

Each of these values is a GUID.

When you define the values, you might choose to specify them directly in your workflow definition file:

- uses: azure/login@v1
  with:
    client-id: 'A123b4567c-1234-1a2b-2b1a-1234abc12345'
    tenant-id: 'aaaabbbb-0000-cccc-1111-dddd2222eeee'
    subscription-id: 'B123a4567c-1234-2b1a-1b2b-11a2b01b2b3c0'

However, some organizations treat these identifiers as secret data or don't allow identifiers to be committed to Git repositories. You can also use GitHub secrets to specify the values:

- uses: azure/login@v1
  with:
    client-id: ${{ secrets.AZURE_CLIENT_ID }}
    tenant-id: ${{ secrets.AZURE_TENANT_ID }}
    subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

Throughout the learning paths for Bicep, we use secrets to store and manage these identifiers. You can decide which approach works best for your organization.

Deploy to Azure

After your workflow has signed in to Azure, you can deploy a Bicep file by using the azure/arm-deploy action. The following workflow definition shows a complete Bicep deployment workflow that uses workflow identities:

name: MyWorkflow

on: [workflow_dispatch]

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
      with:
        path: repo
    - uses: azure/login@v1
      with:
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
    - uses: azure/arm-deploy@v1
      with:
        resourceGroupName: ToyWebsite
        template: ./deploy/main.bicep