Skip to content

oidc vars to devcontainer #4871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tamirkamara merged 4 commits into from
Feb 10, 2026
+9 −35
Merged

oidc vars to devcontainer #4871

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e3823f9
oidc vars to devcontainer
tamirkamara Feb 10, 2026
122c0f4
changelog
tamirkamara Feb 10, 2026
6669c91
remove use_cli
tamirkamara Feb 10, 2026
c1ead67
Update CHANGELOG.md
tamirkamara Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 4 additions & 12 deletions .github/actions/devcontainer_run_command/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -223,17 +223,6 @@ runs:
run: |
echo "ACR_DOMAIN_SUFFIX=$(az cloud show --query suffixes.acrLoginServerEndpoint --output tsv)" >> $GITHUB_ENV

- name: Get GitHub OIDC Token
id: get_oidc_token
shell: bash
run: |
# Request the GitHub OIDC token for federated authentication
OIDC_TOKEN=$(curl -sLS "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=api://AzureADTokenExchange" -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" -H "Accept: application/json; api-version=2.0" | jq -r '.value')

# Write token to a temporary file for safe transport into container
echo "$OIDC_TOKEN" > /tmp/github_oidc_token
chmod 600 /tmp/github_oidc_token

- name: Run command in DevContainer
shell: bash
run: |
Expand All @@ -250,7 +239,7 @@ runs:
"type=bind,src=${{ github.workspace }},dst=/workspaces/tre" \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "./command.sh:/workspaces/tre/command.sh" \
-v "/tmp/github_oidc_token:/tmp/github_oidc_token:ro" \
-v "$HOME/.azure:/home/vscode/.azure" \
--workdir /workspaces/tre \
--user vscode \
-e TF_INPUT="0" \
Expand All @@ -267,6 +256,9 @@ runs:
-e ARM_CLIENT_ID="${{ inputs.AZURE_CLIENT_ID }}" \
-e ARM_TENANT_ID="${{ inputs.AZURE_TENANT_ID }}" \
-e ARM_SUBSCRIPTION_ID="${{ inputs.AZURE_SUBSCRIPTION_ID }}" \
-e ARM_USE_OIDC="true" \
-e ACTIONS_ID_TOKEN_REQUEST_URL \
-e ACTIONS_ID_TOKEN_REQUEST_TOKEN \
-e TF_VAR_terraform_state_container_name="${{ (inputs.TERRAFORM_STATE_CONTAINER_NAME != ''
&& inputs.TERRAFORM_STATE_CONTAINER_NAME) || 'tfstate' }}" \
-e TF_VAR_mgmt_storage_account_name="${{ inputs.MGMT_STORAGE_ACCOUNT_NAME }}" \
Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
ENHANCEMENTS:
* Add interactive browser login method to TRE CLI for easier authentication ([#4856](https://github.com/microsoft/AzureTRE/issues/4856))
* Harden security of the app gateway. ([#4863](https://github.com/microsoft/AzureTRE/pull/4863))
* Pass OIDC vars directly to the devcontainer ([#4871](https://github.com/microsoft/AzureTRE/issues/4871))

BUG FIXES:
* Fix property substitution not occuring where there is only a main step in the pipeline ([#4824](https://github.com/microsoft/AzureTRE/issues/4824))
Expand Down
27 changes: 4 additions & 23 deletions devops/scripts/bootstrap_azure_env.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,26 +28,12 @@ load_environment_config() {

ensure_automation_login() {
if [[ -n "${TF_IN_AUTOMATION:-}" ]]; then
az cloud set --name "${AZURE_ENVIRONMENT}"

# Use OIDC-based login for GitHub Actions
if [[ -f "/tmp/github_oidc_token" ]]; then
# Use the GitHub OIDC token from file for federated authentication
az login --service-principal \
--username "${ARM_CLIENT_ID}" \
--tenant "${ARM_TENANT_ID}" \
--allow-no-subscriptions \
--federated-token "$(cat /tmp/github_oidc_token)"
elif [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then
# Fallback to classic service principal login (for backwards compatibility)
echo "Warning: Using classic service principal authentication. Consider migrating to OIDC."
if [[ -n "${ARM_CLIENT_SECRET:-}" ]]; then
echo "Warning: Using classic service principal authentication."
az cloud set --name "${AZURE_ENVIRONMENT}"
az login --service-principal -u "${ARM_CLIENT_ID}" -p "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}"
else
echo "Error: No authentication method available (OIDC token or client secret required)"
exit 1
az account set -s "${ARM_SUBSCRIPTION_ID}"
fi

az account set -s "${ARM_SUBSCRIPTION_ID}"
fi
}

Expand All @@ -67,11 +53,6 @@ set_account_context() {

export ARM_STORAGE_USE_AZUREAD=true
export ARM_USE_AZUREAD=true
# Force Terraform to use Azure CLI authentication. GitHub Actions OIDC
# (federated) tokens are short-lived and are not reliably available inside
# the devcontainer after their initial lifetime, which can cause Terraform
# authentication to fail. Using ARM_USE_CLI=true avoids this issue.
export ARM_USE_CLI=true

echo -e "\e[34m»»» 🔨 \e[96mAzure details from logged on user \e[0m"
echo -e "\e[34m»»» • \e[96mSubscription: \e[33m${subscription_name}\e[0m"
Expand Down
Loading