OIDC with Azure
See the general OIDC documentation before diving into the Azure specific setup.
Azure Specific Setup
Creating a vault (if necessary)
It's typical when working with OIDC to have at least one locked vault which holds any relevant secrets and OIDC tokens necessary to authenticate.
If you have multiple identities you need to authenticate with, for example if you have separate development and production credentials, you may consider having one vault for each with different permissions.
Creating your service principal or managed identity
Before you begin, ensure you've created either a service principal or a user-assigned managed identity and have assigned a role to it.
Once you've created this, create a secret in your vault for each of the AZURE_CLIENT_ID, AZURE_SUBSCRIPTION_ID, and AZURE_TENANT_ID associated with it.
Configuring your OIDC token in Mint
Now, you can configure the OIDC token in the Mint Vault UI, it's customary to name the token azure. You can then reference the token in your Mint run with:
${{ vaults.your-vault.oidc.azure }}
For the audience, you can choose either Azure's default audience of api://AzureADTokenExchange or set a custom one.
Configuring a federated identity credential in Azure
Once the OIDC token is configured, you'll find the that the subject takes the form mint:{organization uuid}:{vault name} and is provided by the
Mint Vault UI for the token that you configured. To finish configuring Azure, you'll need
to copy that (click on it).
Within Azure, you'll need to create a federated identity credential for your service principal or for your user-assigned managed identity.
Eventually, you'll reach a screen asking for the following information:
- Issuer URL: https://cloud.rwx.com/mint
- Subject identifier: the value you copied from the Mint Vault UI earlier
- Name: a name of your choice to identify the credential
- Audience: By default, this is
api://AzureADTokenExchange. If you chose a different value when configuring your token, enter it here.
Authenticating with OIDC in a Mint run
Now that your federated identity credential is configured, you're ready to authenticate within Mint.
We provide the azure/install-cli and azure/auth-oidc leaves to help coordinate the token exchange.
tasks:
- key: azure-cli
call: azure/install-cli 1.0.1
- key: azure-auth
use: azure-cli
call: azure/auth-oidc 1.0.0
with:
oidc-token: ${{ vaults.your-vault.oidc.azure }}
client-id: ${{ vaults.your-vault.secrets.AZURE_CLIENT_ID }}
subscription-id: ${{ vaults.your-vault.secrets.AZURE_SUBSCRIPTION_ID }}
tenant-id: ${{ vaults.your-vault.secrets.AZURE_TENANT_ID }}
- key: use-azure-cli
use: [azure-cli, azure-auth]
run: az account show