pnp
Add support for AzureAD Managed Identity for the GH Action pnp/action-cli-login
If the CLI supports managed identities, so should the GH action. More: https://discord.com/channels/1022486301536178246/1106617196211347516
I’ve been looking into this and it’s not as straightforward as just enabling the identity options in the GH action.
I’m certainly not an identity expert but here are my thoughts/findings
Our current implementation of managed identity assumes that it has been enabled on the Azure resource that the CLI commands are to be invoked from.
We support both system and user assigned managed identity for this scenario.
When managed identity is enabled, a local endpoint is exposed to the resource. The CLI makes a request to this endpoint to obtain an access token when identity is passed as the value type option on the m365 login command. The local endpoint is only accessible from the resource.
Using managed identity from a GitHub workflow requires a different approach. A Federated Identity needs to be configured on the user assigned managed identity resource. This is used to obtain an access token from GitHub which can be used to access protected Azure AD resources.
See: https://yourazurecoach.com/2022/12/29/use-github-actions-with-user-assigned-managed-identity/
The good news is that the @azure/login action appears to support this approach.
I’ll delve into that a little more to work out an approach, just wanted to provide an update.
Hi @garrytrinder what do you think, should we proceed with this issue? Or will it be a lot of struggling to get it working?
Hi @milanholemans, as soon as we've implemented access token login, this issue will be relatively easy to implement. I'd propose we keep this open for now and pick it up right after.
