Knowledge check

Completed

Your colleague is using workload identities with a GitHub deployment workflow. The following code is the workflow definition file:

on:
  push:
    branches:
      - main
    paths:
      - 'deploy/**'

name: AzureBicepSample

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: azure/login@v1
      with:
        client-id: '44445555-eeee-6666-ffff-7777aaaa8888'
        tenant-id: 'aaaabbbb-0000-cccc-1111-dddd2222eeee'
        subscription-id: 'ffff5f5f-aa6a-bb7b-cc8c-dddddd9d9d9d'
    - uses: azure/arm-deploy@v1
      with:
        resourceGroupName: MyResourceGroup
        template: ./deploy/main.bicep

The workflow returns the following error message:

Error:  Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable. Please make sure to give write permissions to id-token in the workflow.

1.

What should your colleague do to fix this error?

Add the permissions property to the workflow definition.

Move the client ID, tenant ID, and subscription ID inputs into GitHub secrets.

Use a service principal and a key.

2.

Which of these statements about workload identities is true?

When you use workload identities, you must carefully manage their secrets.

Workload identities can use federated credentials to authenticate.

Workload identities must be created through the Azure portal.

3.

You need to create a deployment workflow that deploys your infrastructure to three environments - development, test, and production. Each environment is in a dedicated resource group in three subscriptions. What should you do?

Create a single workload identity and grant it access to the tenant root management group.

Create a single workload identity and grant it access to each of the resource groups in the three subscriptions.

Create three workload identities, one per environment, and grant each identity access to a single resource group in the relevant subscription.

4.

You're creating a workload identity to run a deployment workflow. The workflow deploys a Bicep file that creates a single storage account. Which of the following options has the least privileged access that you need for your workflow?

Role definition: Contributor
Scope: Subscription

Role definition: Contributor
Scope: Resource group

Role definition: Owner
Scope: Resource group

You must answer all questions before checking your work.