Hi guys is it possible to deploy infra on Azure via Github Actions using OpenID Connect (federated identity access)? I would really like to avoid storing secrets in GitHub. This is the action file:

name: Pulumi
on:
  push:
    branches:
      - main

permissions:
  id-token: write
  contents: read

jobs:
  up:
    name: Update
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: 14.x
      - name: 'Azure login via CLI (Federated access)'
        uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
      - run: npm install
      - uses: pulumi/actions@v3
        with:
          command: up
          stack-name: dev
          cloud-url: <azblob://state>       
        env:
          PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
          AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
          AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
          AZURE_KEYVAULT_AUTH_VIA_CLI: true

action

azure/login@v1

finishes without any issues, but

pulumi/actions@v3

fails with the following error

failed with an unhandled exception:
azure-native:resources:ResourceGroup aks-test  error: building auth config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).

@creamy-fall-88031 full walkthrough of all clouds here: https://www.leebriggs.co.uk/blog/2022/01/23/gha-cloud-credentials.html example code to set it up: https://github.com/jaxxstorm/secure-cloud-access/tree/main/azure

This is exactly the tutorial I was following. As I wrote, logging in with the github actions example from this tutorial has no issues. But once I extend it to actually deploy some pulumi code - it fails with the error. So this part:

uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

works. This one fails:

- uses: pulumi/actions@v3
        with:
          command: up
          stack-name: dev
          cloud-url: <azblob://state>       
        env:
          PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
          AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
          AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
          AZURE_KEYVAULT_AUTH_VIA_CLI: true

are you using an OSS backend?

self managed, state should be saved in azure blob file

okay, so auth'ing with oidc means you're logged in as a service principal, example: https://github.com/jaxxstorm/secure-cloud-access/runs/4914761413?check_suite_focus=true#step:3:20 i'm not sure where the error is coming from, it should work

Hi again. Thank you very much for trying to help me. I just figured it out that actually you wrote the tutorial. 😄 So one more thing to thank you for. Just a small update. Although I've meddled with this issue for several days now, I was not able to make a successful deployment. The

azure/login@v1

action works without any issues just as you described in your tutorial, but the actual deployment via

pulumi/actions@v3

always fails when deploying via OIDC. At this point I had to return to service principal authentication and store the secret at Github.