Commit adbe36e
committed
deploy: use OpenID Connect instead of RBAC
Apparently after the `publish-profile` deployments stopped working as expected,
even RBAC now fails. At least when I tried last, it failed thusly:
▶Run azure/login@v1
Running Azure CLI Login.
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Note: Azure/login action also supports OIDC login mechanism. Refer
https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication
for more details.
Attempting Azure CLI login by using service principal with secret...
Error: AADSTS7000215: Invalid client secret provided. Ensure the secret being
sent in the request is the client secret value, not the client secret ID, for
a secret added to app '***'.
Trace ID: 8b5b5391-5b96-472c-a0e7-11ae90b1c000
Correlation ID: bd635df4-82ca-441c-af9e-154d18e92773
Timestamp: 2026-02-12 16:28:25Z
Error: The error may be caused by passing a service principal certificate with
--password. Please note that --password no longer accepts a service principal
certificate. To pass a service principal certificate, use --certificate instead.
Error: Login failed with Error: The process '/usr/bin/az' failed with exit
code 1. Double check if the 'auth-type' is correct. Refer to
https://github.com/Azure/login#readme for more information.
My guess is that even RBAC is considered too insecure. Let's use OpenID Connect,
as it is tied to the GitHub workflow and is therefore as secure as it gets. Even
if the name of the Managed Identity, the tenant and the subscription IDs are
known, an attacker cannot authenticate as that managed identity.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>1 parent 0d66474 commit adbe36e
2 files changed
+24
-8
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
11 | 15 | | |
12 | 16 | | |
13 | 17 | | |
| |||
16 | 20 | | |
17 | 21 | | |
18 | 22 | | |
19 | | - | |
| 23 | + | |
20 | 24 | | |
21 | | - | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
22 | 28 | | |
23 | 29 | | |
24 | 30 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
113 | 113 | | |
114 | 114 | | |
115 | 115 | | |
116 | | - | |
| 116 | + | |
117 | 117 | | |
118 | 118 | | |
119 | | - | |
120 | | - | |
121 | | - | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
| 127 | + | |
| 128 | + | |
| 129 | + | |
| 130 | + | |
| 131 | + | |
122 | 132 | | |
123 | 133 | | |
124 | | - | |
| 134 | + | |
125 | 135 | | |
126 | 136 | | |
127 | 137 | | |
| |||
131 | 141 | | |
132 | 142 | | |
133 | 143 | | |
134 | | - | |
| 144 | + | |
135 | 145 | | |
136 | 146 | | |
137 | 147 | | |
| |||
0 commit comments