Azure managed identity using to authenticate in github worflow actions

We can federate our managed identity in a more flexible manner especially when we need to use it against github and allows our build against different branch without 20 federated credential limits. 

Here is an example of how we can federate our managed identity

 az identity federated-credential create  --name "github-actions-main"  --identity-name %IDENTITY_NAME%  --resource-group %RG_NAME% --issuer "https://token.actions.githubusercontent.com"   --subject "claims['sub'] matches 'repo:%REPO%:ref:refs/heads/*'"  --audience "api://AzureADTokenExchange"

Validating that against our Azure portal, we can get more information here


However trying to run this in github, I am still not able to get it to run successfully. That's for a good reason. 


The reason I am getting the AADSTS700213 error is because User-Assigned Managed Identities do not yet support wildcard matching for OIDC subjects.

Azure recently introduced "Flexible federated identity credentials" (which is what allows you to use the claims['sub'] matches '...*' expression). However, this feature is currently only available for App Registrations (Service Principals). For Managed Identities, Azure still enforces strict, exact-string matching on the subject claim. Because GitHub is passing the exact branch name (like main), Entra ID rejects it as a mismatch against your wildcard expression.

In Microsoft Entra ID terminology, "application objects" refers specifically to App Registrations. While User-Assigned Managed Identities do use workload identity federation, they are backed by Service Principal objects rather than Application objects. Because of this architectural difference under the hood, Microsoft has not yet rolled out the flexible credentials (wildcard) preview feature to Managed Identities.

You can run the following command just to test out with your service principal (replace it with your service principal). This will work for app registration and won't work for managed identity. 



az rest --method post --url https://graph.microsoft.com/beta/applications/your-service-principal-here/federatedIdentityCredentials --body "{'name': 'FlexFic1', 'issuer': 'https://token.actions.githubusercontent.com', 'audiences': ['api://AzureADTokenExchange'],'claimsMatchingExpression': {'value': 'claims[\'sub\'] matches \'  repo:kepungnzai/dot-net-gw:ref:refs/heads/*\'','languageVersion': 1}}"

Having said that, using managed identity is not possible with flexible federated credentials but it is possible using Azure App Registrations.






Comments

Post a Comment

Popular posts from this blog

mongosh install properly

To install mongosh property on ubuntu 24.04, we need to wget -qO- https://www.mongodb.org/static/pgp/server-8.0.asc | sudo tee /etc/apt/trusted.gpg.d/server-8.0.asc Then run  echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu noble/mongodb-org/8.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-8.0.list Next we will run  sudo apt-get update And then finally install it using  sudo apt-get install -y mongodb-mongosh To verify if it is running we run  mongosh --version
Read more

NodeJS: Error: spawn EINVAL in window for node version 20.20 and 18.20

Encounter this issue when running autorest (that uses nodejs).  I am using node version:  v18.20.2 After i revert to use node v18.12.0, then i was able to get my app to run without this error. Since i am working with Azure devops yaml, i was able to use the following to resolve my issue.  - task : NodeTool@0   inputs :     versionSource : 'spec'     versionSpec : '18.18.0'
Read more

vllm : Failed to infer device type

Trying to run vllm without gpu will typicaly lands you into this issue. To resolve this issue: we can use set these both. Setting one does not work for me. So i had to configure both settings below:- 1.  environment variable CUDA_VISIBLE_DEVICES = "" 2. in the command line, change to use device cpu and remove  tensor-parallel-size. For example, python3 -m vllm.entrypoints.openai.api_server --port 8080 --model deepseek-ai/DeepSeek-R1 --device cpu --trust-remote-code --max-model-len 4096" References https://docs.vllm.ai/en/latest/getting_started/troubleshooting.html#failed-to-infer-device-type
Read more