Create Azure credentials for use in GitHub Actions

Join me in this blog post as I look at how you can create an Azure Service Principal to make a connection between your Azure subscription and GitHub Actions.

Create Azure credentials for use in GitHub Actions
Create Azure credentials for use in GitHub Actions

One of the things you can do with GitHub Actions is to connect with your Azure subscription. You can interact with your Azure resources, deploy Azure resources, and more.

In order to be able to use GitHub Actions with your Azure subscription, you need to create that service connection. To do that, you must create an Azure Service Principal and store the credentials inside a GitHub Actions secret.

Create the Service Principal

Creating a Service Principal is the first step to creating that connection between GitHub Actions and Azure. You can do that in a few ways:

The quickest way and easiest way I've found to create this Service Principal is to use Azure CloudShell and issue the command:

New-AzADServicePrincipal -DisplayName "GitHubActionsConnection"

Now we have the Service Principal created, we need to create a secret/password that can be used to log in with. For this, we need to head to the Azure Portal. Go to:

Azure Portal > Microsoft Entra ID > App Registrations

Azure AD App registrations
Azure AD App registrations

Click on "All Applications" and click on your newly created Service Principal.

All Applications
All Applications

Now click on "Certificates & Secrets" and click on "New Client Secret".

New Client Secret
New Client Secret

You get the option to set how long this secret will be available, please use your organisation's best practices here.

Permissions

We now need to give this Service Principal rights to either a resource group or subscription. In this example, I am going to set up permissions for this Service Principal over my subscription.

To do that, I go into the Azure Portal > Subscriptions and select the subscription.

Now I click on Access Control (IAM) down the left-hand side.

Then clicking on Add to create a new role assignment.

Azure Access Control settings
Azure Access Control settings

You'll have the option of assigning a number of permissions to the Service Principal. I will assign Contributor permissions here and then select the new Service Principal as a member.

Azure AD IAM Permissions
Azure AD IAM Permissions

Once the permissions have been applied, it's time to collect all the information to store it inside GitHub for use within the workflows.

Collect Service Principal information

To store the information inside a GitHub Actions secret, it needs to be stored within a JSON format. We can run this PowerShell subscription to collect all the information you will need for GitHub and in the form that GitHub needs.

# Fill in the information information with the Service Principal Name you created and your Azure Subscription Name. 

$ServicePrincipalName = "GitHubActionsConnection"
$AzSubscriptionName = "Name_of_your_subscription"

Connect-AzureAD

$Subscription = (Get-AzSubscription -SubscriptionName $AzSubscriptionName)
$ServicePrincipal = Get-AzADServicePrincipal -DisplayName $ServicePrincipalName
$AzureADApplication = Get-AzureADApplication -SearchString $ServicePrincipalName

$OutputObject = [PSCustomObject]@{
    clientId = $ServicePrincipal.AppId
    clientSecret = (New-AzureADApplicationPasswordCredential -ObjectId $AzureADApplication.ObjectId).Value
    subscriptionId = $Subscription.Id
    tenantId = $Subscription.TenantId
}

$OutputObject | ConvertTo-Json

Store Azure Credentials in GitHub Secrets

Take a copy of the output from the PowerShell query. This will be stored inside a GitHub Secret for use within your workflows.

Within the repository where your workflow is, click on Settings > Secrets > Actions and then click on new repository secret.

GitHub Secrets settings
GitHub Secrets settings

Give the new secret a name; I usually go with "Azure_Credentials" and then paste the PowerShell script's output into the value section.

Use the Azure login action

Now you have the Service Principal set up and the information stored inside GitHub Secrets, it's time to use that information.

You can use the Azure Login action within your workflow and call that secret information.

You can continue to build on the workflow from there. 👍

on: [push]

name: AzureLogin

jobs:
  build-and-deploy:
    runs-on: windows-latest
    steps:
      - name: Log in with Azure
        uses: azure/login@v1
        with:
          creds: '${{ secrets.AZURE_CREDENTIALS }}'