To automate Azure resource deployment using GitHub Actions, you need a secure way to authenticate and manage permissions.
The best practice is to use a Service Principal.
In this blog post I will guide you through creating a Service Principal using the Azure CLI, retrieving the necessary information, and configuring it for use in GitHub Actions.
Why Use a Service Principal?
A Service Principal is an application within Azure Active Directory (AAD) that can authenticate and authorize automated tasks. It provides:
Security: Ensures limited access to resources by assigning specific permissions.
Automation: Enables non-interactive scripts or workflows to interact with Azure resources.
Scalability: Simplifies credential management for CI/CD pipelines like GitHub Actions.
Step 1: Create a Service Principal
Using the Azure CLI, you can create a Service Principal and assign it the appropriate permissions. Copy the code below replacing with your own Azure subscription ID.
az ad sp create-for-rbac \
--name "github-actions-sp" \
--role Contributor \
--scopes /subscriptions/<YOUR_SUBSCRIPTION_ID>Output:
The command will return a JSON object containing these key details:
appId: The Client ID of the Service Principal.
password: The Client Secret (keep this secure!).
tenant: The Azure Active Directory Tenant ID.
subscription ID: The ID of the subscription where the Service Principal is assigned permissions.
Example Output:
{
“appId”: “11111111-2222-3333-4444-555555555555”,
“displayName”: “github-actions-sp”,
“password”: “abcd1234-5678-efgh-9101-ijklmnopqrst”,
“tenant”: “66666666-7777-8888-9999-aaaaaaaaaaaa”
}
Step 2: Retrieve Azure Subscription ID
If you don’t already know your subscription ID, use this command:
az account show --query id -o tsvThis will return your Subscription ID as plain text.
Step 3: Save Service Principal Information to GitHub Secrets
Go to your GitHub repository.
Navigate to Settings > Secrets and variables > Actions > New repository secret.
Add the following secrets:
AZURE_CREDENTIALS: A JSON object containing the Service Principal details. Example:
{
“clientId”: “11111111-2222-3333-4444-555555555555”,
“clientSecret”: “abcd1234-5678-efgh-9101-ijklmnopqrst”,
“subscriptionId”: “12345678-90ab-cdef-1234-567890abcdef”,
“tenantId”: “66666666-7777-8888-9999-aaaaaaaaaaaa”
}
Click Add secret.
Step 4: Use the Service Principal in GitHub Actions
Once you’ve added everything to GitHub Secrets, you’re now ready to use the Service Principal in your workflow.
The workflow will securely authenticate using the AZURE_CREDENTIALS secret and provision resources in Azure.
Step 5: Test the Workflow
Push the updated workflow file to the main branch of your repository.
Monitor the Actions tab in GitHub to ensure the Service Principal is authenticating and provisioning resources successfully.
Conclusion
Creating a Service Principal and integrating it with GitHub Actions is a secure and efficient way to automate Azure resource deployment.
By following these steps, you’ve established a foundation for managing resources programmatically, paving the way for scalable CI/CD pipelines.
For more tutorials, don’t forget to check out the Azure Roadmap YouTube Channel and the my GitHub repository.