self-hosted-runner: switch to federated credentials

dscho · dscho · commit d6c574944432 · 2025-01-17T19:04:01.000+01:00
Instead of storing stealable credentials in repository secrets, let's
create a managed identity instead and use federated credentials via
GitHub Actions' support for OpenID Connect.

This binds the authorization to GitHub workflows running in a specific
repository, and stealing the information won't enable an attacker to get
authorized to use the Azure subscription.

Note that this change _does_ require Client ID, Tenant ID and
Subscription ID to be stored separately as repository secrets (although
they do not _technically_ need to be kept secret, security is a game of
layers, so why give away this information?).

Also note that for some strange reason, the `contents: read` permission
seems to be lost when introducing a `permissions:` section. Therefore we
have to add it back explicitly, otherwise `actions/checkout` will fail
in a private repository.

Signed-off-by: Johannes Schindelin &lt;johannes.schindelin@gmx.de&gt;
diff --git a/.github/workflows/azure-login/action.yml b/.github/workflows/azure-login/action.yml
@@ -1,43 +1,31 @@
 name: Azure Login
 description: Logs into Azure using a service principal
 inputs:
-  credentials:
-    description: Your credentials in JSON format
+  client-id:
+    description: The Client ID of the Azure Managed Identity
+    required: true
+  tenant-id:
+    description: The Tenant ID of the Azure Managed Identity (i.e. the Azure Active Directory in which the Identity lives)
     required: true
 
 runs:
   using: "composite"
   steps:
-    - name: Process Azure credentials
+    - name: Obtain OpenID Connect token
       uses: actions/github-script@v7
-      env:
-        AZURE_CREDENTIALS: ${{ inputs.credentials }}
-      with:
-        script: |
-          if (!process.env.AZURE_CREDENTIALS) {
-            core.setFailed('The AZURE_CREDENTIALS secret is required.')
-            process.exit(1)
-          }
-          
-          const azureCredentials = JSON.parse(process.env.AZURE_CREDENTIALS)
-          const {clientId, clientSecret, tenantId, subscriptionId} = azureCredentials
-
-          core.setSecret(clientId)
-          core.exportVariable('AZURE_CLIENT_ID', clientId)
-
-          core.setSecret(clientSecret)
-          core.exportVariable('AZURE_CLIENT_SECRET', clientSecret)
-
-          core.setSecret(tenantId)
-          core.exportVariable('AZURE_TENANT_ID', tenantId)
+        id: token
+        with:
+          script: |
+            const token = await core.getIDToken('api://AzureADTokenExchange')
+            core.setSecret(token)
+            return token
 
-          core.setSecret(subscriptionId)
-          core.exportVariable('AZURE_SUBSCRIPTION_ID', subscriptionId)
-    
     - name: Azure Login
       shell: bash
       run: |
         echo "Logging into Azure..."
-        az login --service-principal -u ${{ env.AZURE_CLIENT_ID }} -p ${{ env.AZURE_CLIENT_SECRET }} --tenant ${{ env.AZURE_TENANT_ID }}
-        echo "Setting subscription..."
-        az account set --subscription ${{ env.AZURE_SUBSCRIPTION_ID }} --output none
+        az login --service-principal \
+          --username ${{ inputs.client-id }} \
+          --tenant ${{ inputs.tenant-id }} \
+          --federated-token ${{ steps.token.outputs.result }} \
+          --output none
diff --git a/.github/workflows/cleanup-self-hosted-runners.yml b/.github/workflows/cleanup-self-hosted-runners.yml
@@ -7,12 +7,28 @@ on:
     - cron: "0 */6 * * *"
   workflow_dispatch:
 
+permissions:
+  id-token: write # required for Azure login via OIDC
+
 # The following secrets are required for this workflow to run:
-# AZURE_CREDENTIALS - Credentials for the Azure CLI. It's recommended to set up a resource
-#                     group specifically for self-hosted Actions Runners.
-#   az ad sp create-for-rbac --name "{YOUR_DESCRIPTIVE_NAME_HERE}" --role contributor \
-#     --scopes /subscriptions/{SUBSCRIPTION_ID_HERE}/resourceGroups/{RESOURCE_GROUP_HERE} \
-#     --sdk-auth
+# AZURE_CLIENT_ID - The Client ID of an Azure Managed Identity. It is recommended to set up a resource
+#                   group specifically for self-hosted Actions Runners, and to add a federated identity
+#                   to authenticate as the currently-running GitHub workflow.
+#   az identity create --name <managed-identity-name> -g <resource-group>
+#   az identity federated-credential create \
+#     --identity-name <managed-identity-name> \
+#     --resource-group <resource-group> \
+#     --name github-workflow \
+#     --issuer https://token.actions.githubusercontent.com \
+#     --subject repo:git-for-windows/git-for-windows-automation:ref:refs/heads/main \
+#     --audiences api://AzureADTokenExchange
+#   MSYS_NO_PATHCONV=1 \
+#   az role assignment create \
+#     --assignee <client-id-of-managed-identity> \
+#     --scope '/subscriptions/<subscription-id>/resourceGroups/<resource-group>' \
+#     --role 'Contributor'
+# AZURE_TENANT_ID - The Tenant ID of the Azure Managed Identity (i.e. the Azure Active Directory in which
+#                   the Identity lives)
 # AZURE_RESOURCE_GROUP - Resource group to find the runner(s) in. It's recommended to set up a resource
 #                        group specifically for self-hosted Actions Runners.
 jobs:
@@ -24,8 +40,8 @@ jobs:
     - name: Azure Login
       uses: ./.github/workflows/azure-login
       with:
-        credentials: ${{ secrets.AZURE_CREDENTIALS }}
-
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
     - name: Discover VMs to delete
       env:
         GH_APP_ID: ${{ secrets.GH_APP_ID }}
diff --git a/.github/workflows/create-azure-self-hosted-runners.yml b/.github/workflows/create-azure-self-hosted-runners.yml
@@ -53,12 +53,29 @@ env:
   AZURE_VM_REGION: westus2
   AZURE_VM_IMAGE: win11-24h2-ent
 
+permissions:
+  id-token: write # required for Azure login via OIDC
+  contents: read
+
 # The following secrets are required for this workflow to run:
-# AZURE_CREDENTIALS - Credentials for the Azure CLI. It's recommended to set up a resource
-#                     group specifically for self-hosted Actions Runners.
-#   az ad sp create-for-rbac --name "{YOUR_DESCRIPTIVE_NAME_HERE}" --role contributor \
-#     --scopes /subscriptions/{SUBSCRIPTION_ID_HERE}/resourceGroups/{RESOURCE_GROUP_HERE} \
-#     --sdk-auth
+# AZURE_CLIENT_ID - The Client ID of an Azure Managed Identity. It is recommended to set up a resource
+#                   group specifically for self-hosted Actions Runners, and to add a federated identity
+#                   to authenticate as the currently-running GitHub workflow.
+#   az identity create --name <managed-identity-name> -g <resource-group>
+#   az identity federated-credential create \
+#     --identity-name <managed-identity-name> \
+#     --resource-group <resource-group> \
+#     --name github-workflow \
+#     --issuer https://token.actions.githubusercontent.com \
+#     --subject repo:git-for-windows/git-for-windows-automation:ref:refs/heads/main \
+#     --audiences api://AzureADTokenExchange
+#   MSYS_NO_PATHCONV=1 \
+#   az role assignment create \
+#     --assignee <client-id-of-managed-identity> \
+#     --scope '/subscriptions/<subscription-id>/resourceGroups/<resource-group>' \
+#     --role 'Contributor'
+# AZURE_TENANT_ID - The Tenant ID of the Azure Managed Identity (i.e. the Azure Active Directory in which
+#                   the Identity lives)
 # AZURE_RESOURCE_GROUP - Resource group to create the runner(s) in
 # AZURE_VM_USERNAME - Username of the VM so you can RDP into it
 # AZURE_VM_PASSWORD - Password of the VM so you can RDP into it
@@ -163,8 +180,9 @@ jobs:
     - name: Azure Login
       uses: ./.github/workflows/azure-login
       with:
-        credentials: ${{ secrets.AZURE_CREDENTIALS }}
-    
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+
     - uses: azure/arm-deploy@v2
       id: deploy-arm-template
       with:
diff --git a/.github/workflows/delete-self-hosted-runner.yml b/.github/workflows/delete-self-hosted-runner.yml
@@ -12,21 +12,43 @@ on:
 env:
   ACTIONS_RUNNER_NAME: ${{ github.event.inputs.runner_name }}
 
+permissions:
+  id-token: write # required for Azure login via OIDC
+
 # The following secrets are required for this workflow to run:
-# AZURE_CREDENTIALS - Credentials for the Azure CLI. It's recommended to set up a resource
-#                     group specifically for self-hosted Actions Runners.
-#   az ad sp create-for-rbac --name "{YOUR_DESCRIPTIVE_NAME_HERE}" --role contributor \
-#     --scopes /subscriptions/{SUBSCRIPTION_ID_HERE}/resourceGroups/{RESOURCE_GROUP_HERE} \
-#     --sdk-auth
-# AZURE_RESOURCE_GROUP - Resource group to create the runner(s) in
+# AZURE_CLIENT_ID - The Client ID of an Azure Managed Identity. It is recommended to set up a resource
+#                   group specifically for self-hosted Actions Runners, and to add a federated identity
+#                   to authenticate as the currently-running GitHub workflow.
+#   az identity create --name <managed-identity-name> -g <resource-group>
+#   az identity federated-credential create \
+#     --identity-name <managed-identity-name> \
+#     --resource-group <resource-group> \
+#     --name github-workflow \
+#     --issuer https://token.actions.githubusercontent.com \
+#     --subject repo:git-for-windows/git-for-windows-automation:ref:refs/heads/main \
+#     --audiences api://AzureADTokenExchange
+#   MSYS_NO_PATHCONV=1 \
+#   az role assignment create \
+#     --assignee <client-id-of-managed-identity> \
+#     --scope '/subscriptions/<subscription-id>/resourceGroups/<resource-group>' \
+#     --role 'Contributor'
+# AZURE_TENANT_ID - The Tenant ID of the Azure Managed Identity (i.e. the Azure Active Directory in which
+#                   the Identity lives)
+# AZURE_SUBSCRIPTION_ID - The Subscription ID with which the Azure Managed Identity is associated
+#                         (technically, this is not necessary for `az login --service-principal` with a
+#                         managed identity, but `Azure/login` requires it anyway)
+# AZURE_RESOURCE_GROUP - Resource group to find the runner in. It's recommended to set up a resource
+#                        group specifically for self-hosted Actions Runners.
 jobs:
   delete-runner:
     runs-on: ubuntu-latest
     steps:
     - name: Azure Login
       uses: azure/login@v2
       with:
-        creds: ${{ secrets.AZURE_CREDENTIALS }}
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     - name: Delete VM '${{ env.ACTIONS_RUNNER_NAME }}'
       uses: azure/CLI@v2
       with:
