TEST / FedId

.github/actions/devcontainer_run_command/action.yml

@@ -223,17 +223,6 @@ runs:
       run: |
         echo "ACR_DOMAIN_SUFFIX=$(az cloud show --query suffixes.acrLoginServerEndpoint --output tsv)" >> $GITHUB_ENV
 
-    - name: Get GitHub OIDC Token
-      id: get_oidc_token
-      shell: bash
-      run: |
-        # Request the GitHub OIDC token for federated authentication
-        OIDC_TOKEN=$(curl -sLS "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" -H "Accept: application/json; api-version=2.0" | jq -r '.value')
-
-        # Write token to a temporary file for safe transport into container
-        echo "$OIDC_TOKEN" > /tmp/github_oidc_token
-        chmod 600 /tmp/github_oidc_token
-
     - name: Run command in DevContainer
       shell: bash
       run: |
@@ -250,7 +239,7 @@ runs:
           "type=bind,src=${{ github.workspace }},dst=/workspaces/tre" \
           -v /var/run/docker.sock:/var/run/docker.sock \
           -v "./command.sh:/workspaces/tre/command.sh" \
-          -v "/tmp/github_oidc_token:/tmp/github_oidc_token:ro" \
+          -v "$HOME/.azure:/home/vscode/.azure" \
           --workdir /workspaces/tre \
           --user vscode \
           -e TF_INPUT="0" \

devops/scripts/bootstrap_azure_env.sh

@@ -28,26 +28,17 @@ load_environment_config() {
 
 ensure_automation_login() {
   if [[ -n "${TF_IN_AUTOMATION:-}" ]]; then
-    az cloud set --name "${AZURE_ENVIRONMENT}"
-
-    # Use OIDC-based login for GitHub Actions
-    if [[ -f "/tmp/github_oidc_token" ]]; then
-      # Use the GitHub OIDC token from file for federated authentication
-      az login --service-principal \
-        --username "${ARM_CLIENT_ID}" \
-        --tenant "${ARM_TENANT_ID}" \
-        --allow-no-subscriptions \
-        --federated-token "$(cat /tmp/github_oidc_token)"
+    if [[ -d "$HOME/.azure" ]]; then
+      echo "Using existing Azure CLI login."
     elif [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then
-      # Fallback to classic service principal login (for backwards compatibility)
-      echo "Warning: Using classic service principal authentication. Consider migrating to OIDC."
+      echo "Warning: Using classic service principal authentication."
+      az cloud set --name "${AZURE_ENVIRONMENT}"
       az login --service-principal -u "${ARM_CLIENT_ID}" -p "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
+      az account set -s "${ARM_SUBSCRIPTION_ID}"
     else
-      echo "Error: No authentication method available (OIDC token or client secret required)"
+      echo "Error: No authentication method available (Azure CLI or client secret required)"
       exit 1
     fi
-
-    az account set -s "${ARM_SUBSCRIPTION_ID}"
   fi
 }