Search code examples
azuregithub-actionsworkflowazure-service-principalservice-principal

Set ouput of GitHub action workflow after using azure/login@v2 step

I faced a problem when I was trying to move from client secret to OIDC signing in using GitHub actions. The code that I have currently:

on:
  workflow_call:
    secrets:
      azure-credentials:
        required: true
    outputs:
      acsEmailWriteRoleId:
        value: ${{ jobs.deploy_arm.outputs.acsEmailWriteRoleId }}
      
jobs:
  deploy_arm:
    name: Deploy ARM
    runs-on: ubuntu-latest
    outputs:
      acsEmailWriteRoleId: ${{ steps.subscription_arm_deployment.outputs.acsEmailWriteRoleId }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Log into Azure
        uses: azure/login@v2
        with:
          creds: ${{ secrets.azure-credentials }}


      - name: Deploy Bicep
        uses: azure/arm-deploy@v2
        id: subscription_arm_deployment
        with:
          scope: subscription
          region: polandcentral
          template: .azure/bicep/subscription.bicep
          failOnStdErr: false

The code I had after my attempt to change to OIDC:

on:
  workflow_call:
    secrets:
      azure-client-id:
        required: true
      azure-tenant-id:
        required: true
      azure-subscription-id:
        required: true
    outputs:
      acsEmailWriteRoleId:
        value: ${{ jobs.deploy_arm.outputs.acsEmailWriteRoleId }}
      
jobs:
  deploy_arm:
    name: Deploy ARM
    runs-on: ubuntu-latest
    outputs:
      acsEmailWriteRoleId: ${{ steps.subscription_arm_deployment.outputs.acsEmailWriteRoleId }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Log into Azure
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.azure-client-id }}
          tenant-id: ${{ secrets.azure-tenant-id }}
          subscription-id: ${{ secrets.azure-subscription-id }}

      - name: Deploy Bicep
        uses: azure/arm-deploy@v2
        id: subscription_arm_deployment
        with:
          scope: subscription
          region: polandcentral
          template: .azure/bicep/subscription.bicep
          failOnStdErr: false

When I changed step to use OIDC sign in method, I am getting this warning in Complete Job step Warning: Skip output 'acsEmailWriteRoleId' since it may contain secret.

I can't find out if there is a way to make it work with OIDC. I expect that it is possible to export variables from workflow so that I can use them in parent workflow.

Solution

  • I've found the root cause for this problem. In my GitHub secrets, I had AZURE_SUBSCRIPTION_ID. That value was contained within roleId I tried to output from workflow. GitHub Actions evaluates whether wanted output contains one of the secrets of the repository and if that's the case, then it won't allow to output these values.

    This is format of the output: /subscriptions/AZURE_SUBSCRIPTION_ID/providers/Microsoft.Authorization/roleDefinitions/roleId

    My solution to it was to move AZURE_SUBSCRIPTION_ID to repository variables instead of secrets and now it's working correctly.