← ClaudeAtlas

configuring-azure-oidc-for-github-actionslisted

Sets up branch-scoped Azure OIDC for GitHub Actions — creates service principals, federated credentials bound to each branch's refs/heads/{branch}, generates SQL passwords, and sets GitHub secrets. Use when bootstrapping CI/CD, onboarding a new environment branch, or fixing AADSTS70021 subject mismatches.
alexpizarro/azure-lean-stack-skills · ★ 1 · DevOps & Infrastructure · score 74
Install: claude install-skill alexpizarro/azure-lean-stack-skills
# Configuring Azure OIDC for GitHub Actions Sets up secret-less Azure authentication for GitHub Actions. After running these scripts, deploys work via `git push` with no client secrets to rotate. ## Why OIDC - No client secrets stored in GitHub or in code - Branch-scoped: the `test` SP can't deploy to `production` and vice versa - Federated credential subject is bound to `refs/heads/{branch}` exactly — drift causes `AADSTS70021` ## Workflow checklist Copy this checklist into your response and check items off as you complete them: ``` OIDC + GitHub Actions setup: - [ ] Step 1: Verify az login + gh auth login (and AZURE_CONFIG_DIR if shared machine) - [ ] Step 2: Confirm GitHub repo exists, branches (test, production) created - [ ] Step 3: Run scripts/create-sp-with-oidc.sh → creates test + prod SPs + federated creds - [ ] Step 4: Run scripts/generate-sql-password.sh → SQL admin passwords - [ ] Step 5: Run scripts/add-github-secrets.sh → 6 secrets set - [ ] Step 6: For each additional environment branch (acme-demo, customer-uat, etc.), re-run with that branch name - [ ] Step 7: First push to test → verify the workflow authenticates (no AADSTS70021) ``` ## Setup sequence Run these scripts in order. Each is idempotent (safe to re-run). ```bash # Prerequisites: az login and gh auth login already done. # Use AZURE_CONFIG_DIR if this project shares a machine with others. export ORG="acme" # short org prefix export PROJECT="taskapp" # short project name exp