Skip to content

Commit d9c21cc

Browse files
goodtocodegoodtocode
authored
federation script (#113)
* federation script * actions: read for actions to share requirements on errors
1 parent de91ac9 commit d9c21cc

File tree

2 files changed

+30
-26
lines changed

2 files changed

+30
-26
lines changed

.github/workflows/gtc-rg-semkernel-api-ci-cd.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,7 @@ on:
2929
description: 'Running mode'
3030

3131
permissions:
32+
actions: read
3233
id-token: write
3334
contents: read
3435
security-events: write

README.md

Lines changed: 29 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -196,41 +196,44 @@ Note: The AZURE_SECRETS method uses: az ad sp create-for-rbac --name "COMPANY-SU
196196

197197
[New-AzureGitHubFederation.ps1](https://github.com/goodtocode/cloud-admin/blob/main/scripts/cybersecurity/Azure-GitHub-Federation/New-AzureGitHubFederation.ps1)
198198
```
199-
Install-Module Az #-Force #Force will update the module if it is already installed
199+
# Install required modules
200+
Install-Module Az.Accounts,Az.Resources -Scope CurrentUser -Force
200201
202+
# Login to Azure
201203
Connect-AzAccount -SubscriptionId $SubscriptionId -UseDeviceAuthentication
202-
```
203-
```
204-
# Create a new Azure AD App Registration application and service principal
205-
$existingAppRegistration = Get-AzADApplication -Filter "displayName eq '$PrincipalName'"
206-
if (-not $existingAppRegistration) {
207-
New-AzADApplication -DisplayName $PrincipalName
208-
}
209-
$clientId = (Get-AzADApplication -DisplayName $PrincipalName).AppId
210204
211-
New-AzADServicePrincipal -ApplicationId $clientId
212-
$objectId = (Get-AzADServicePrincipal -DisplayName $PrincipalName).Id
205+
# Get App Registration object (Application object)
206+
$app = Get-AzADApplication -DisplayName $PrincipalName
207+
if (-not $app) {
208+
$app = New-AzADApplication -DisplayName $PrincipalName
209+
}
210+
Write-Host "App Registration (Client) Id: $($app.AppId)"
211+
$clientId = $app.AppId
212+
$appObjectId = $app.Id
213+
214+
# Create Service Principal and assign role
215+
$sp = Get-AzADServicePrincipal -DisplayName $PrincipalName
216+
if (-not $sp) {
217+
$sp = New-AzADServicePrincipal -ApplicationId $clientId
218+
}
219+
Write-Host "Service Principal Id: $($sp.Id)"
220+
$spObjectId = $sp.Id
221+
New-AzRoleAssignment -ObjectId $spObjectId -RoleDefinitionName Contributor -Scope "/subscriptions/$SubscriptionId"
213222
214-
New-AzRoleAssignment -ObjectId $objectId -RoleDefinitionName Contributor -Scope "/subscriptions/$SubscriptionId"
215-
$clientId = (Get-AzADApplication -DisplayName $PrincipalName).AppId
216223
$tenantId = (Get-AzContext).Subscription.TenantId
217-
```
218-
```
219-
# Create new App Registration Federated Credentials for the GitHub operations
220-
$subjectRepo = $subjectRepo = "repo:" + $Organization + "/" + $Repository + ":environment:" + $Environment
221224
222-
New-AzADAppFederatedCredential -ApplicationObjectId $objectId -Audience api://AzureADTokenExchange -Issuer 'https://token.actions.githubusercontent.com' -Name "$PrincipalName-repo" -Subject "$subjectRepo"
225+
# Create new App Registration Federated Credentials for the GitHub operations
226+
$subjectRepo = "repo:" + $Organization + "/" + $Repository + ":environment:" + $Environment
227+
New-AzADAppFederatedCredential -ApplicationObjectId $appObjectId -Audience api://AzureADTokenExchange -Issuer 'https://token.actions.githubusercontent.com' -Name "$PrincipalName-repo" -Subject "$subjectRepo"
223228
$subjectRepoMain = "repo:" + $Organization + "/" + $Repository + ":ref:refs/heads/main"
224-
225-
New-AzADAppFederatedCredential -ApplicationObjectId $objectId -Audience api://AzureADTokenExchange -Issuer 'https://token.actions.githubusercontent.com' -Name "$PrincipalName-main" -Subject "$subjectRepoMain"
229+
New-AzADAppFederatedCredential -ApplicationObjectId $appObjectId -Audience api://AzureADTokenExchange -Issuer 'https://token.actions.githubusercontent.com' -Name "$PrincipalName-main" -Subject "$subjectRepoMain"
226230
$subjectRepoPR = "repo:" + $Organization + "/" + $Repository + ":pull_request"
231+
New-AzADAppFederatedCredential -ApplicationObjectId $appObjectId -Audience api://AzureADTokenExchange -Issuer 'https://token.actions.githubusercontent.com' -Name "$PrincipalName-PR" -Subject "$subjectRepoPR"
227232
228-
New-AzADAppFederatedCredential -ApplicationObjectId $objectId -Audience api://AzureADTokenExchange -Issuer 'https://token.actions.githubusercontent.com' -Name "$PrincipalName-PR" -Subject "$subjectRepoPR"
233+
Write-Host "AZURE_TENANT_ID: $tenantId"
234+
Write-Host "AZURE_SUBSCRIPTION_ID: $SubscriptionId"
235+
Write-Host "AZURE_CLIENT_ID: $clientId"
229236
```
230-
In GitHub repo environment: Add the az login secrets:
231-
- AZURE_CLIENT_ID
232-
- AZURE_TENANT_ID
233-
- AZURE_SUBSCRIPTION_ID
234237

235238
## Azure DevOps Pipelines (.azure-devops folder)
236239
Azure DevOps pipelines require an Azure Service Connection to authenticate and deploy resources to Azure.
@@ -265,7 +268,7 @@ The key differences between Entity Framework (EF) and Semantic Kernel memory:
265268
- SM: Use SM for long-term memory, chatbots, question-answering systems, and information retrieval.
266269

267270
# Contact
268-
* [GitHub Repo](https://www.github.com/goodtocode/templates)
271+
* [GitHub Repo](https://www.github.com/goodtocode/semantickernel-microservice)
269272
* [@goodtocode](https://www.twitter.com/goodtocode)
270273
* [github.com/goodtocode](https://www.github.com/goodtocode)
271274

0 commit comments

Comments
 (0)