Skip to content

federation script #113

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
goodtocode merged 2 commits into from
Sep 22, 2025
Merged

federation script #113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
035fc77
federation script
goodtocode Sep 21, 2025
d3a83a5
actions: read for actions to share requirements on errors
goodtocode Sep 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/gtc-rg-semkernel-api-ci-cd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ on:
description: 'Running mode'

permissions:
actions: read
id-token: write
contents: read
security-events: write
Expand Down
55 changes: 29 additions & 26 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,41 +196,44 @@ Note: The AZURE_SECRETS method uses: az ad sp create-for-rbac --name "COMPANY-SU

[New-AzureGitHubFederation.ps1](https://github.com/goodtocode/cloud-admin/blob/main/scripts/cybersecurity/Azure-GitHub-Federation/New-AzureGitHubFederation.ps1)
```
Install-Module Az #-Force #Force will update the module if it is already installed
# Install required modules
Install-Module Az.Accounts,Az.Resources -Scope CurrentUser -Force

# Login to Azure
Connect-AzAccount -SubscriptionId $SubscriptionId -UseDeviceAuthentication
```
```
# Create a new Azure AD App Registration application and service principal
$existingAppRegistration = Get-AzADApplication -Filter "displayName eq '$PrincipalName'"
if (-not $existingAppRegistration) {
New-AzADApplication -DisplayName $PrincipalName
}
$clientId = (Get-AzADApplication -DisplayName $PrincipalName).AppId

New-AzADServicePrincipal -ApplicationId $clientId
$objectId = (Get-AzADServicePrincipal -DisplayName $PrincipalName).Id
# Get App Registration object (Application object)
$app = Get-AzADApplication -DisplayName $PrincipalName
if (-not $app) {
$app = New-AzADApplication -DisplayName $PrincipalName
}
Write-Host "App Registration (Client) Id: $($app.AppId)"
$clientId = $app.AppId
$appObjectId = $app.Id

# Create Service Principal and assign role
$sp = Get-AzADServicePrincipal -DisplayName $PrincipalName
if (-not $sp) {
$sp = New-AzADServicePrincipal -ApplicationId $clientId
}
Write-Host "Service Principal Id: $($sp.Id)"
$spObjectId = $sp.Id
New-AzRoleAssignment -ObjectId $spObjectId -RoleDefinitionName Contributor -Scope "/subscriptions/$SubscriptionId"

New-AzRoleAssignment -ObjectId $objectId -RoleDefinitionName Contributor -Scope "/subscriptions/$SubscriptionId"
$clientId = (Get-AzADApplication -DisplayName $PrincipalName).AppId
$tenantId = (Get-AzContext).Subscription.TenantId
```
```
# Create new App Registration Federated Credentials for the GitHub operations
$subjectRepo = $subjectRepo = "repo:" + $Organization + "/" + $Repository + ":environment:" + $Environment

New-AzADAppFederatedCredential -ApplicationObjectId $objectId -Audience api://AzureADTokenExchange -Issuer 'https://token.actions.githubusercontent.com' -Name "$PrincipalName-repo" -Subject "$subjectRepo"
# Create new App Registration Federated Credentials for the GitHub operations
$subjectRepo = "repo:" + $Organization + "/" + $Repository + ":environment:" + $Environment
New-AzADAppFederatedCredential -ApplicationObjectId $appObjectId -Audience api://AzureADTokenExchange -Issuer 'https://token.actions.githubusercontent.com' -Name "$PrincipalName-repo" -Subject "$subjectRepo"
$subjectRepoMain = "repo:" + $Organization + "/" + $Repository + ":ref:refs/heads/main"

New-AzADAppFederatedCredential -ApplicationObjectId $objectId -Audience api://AzureADTokenExchange -Issuer 'https://token.actions.githubusercontent.com' -Name "$PrincipalName-main" -Subject "$subjectRepoMain"
New-AzADAppFederatedCredential -ApplicationObjectId $appObjectId -Audience api://AzureADTokenExchange -Issuer 'https://token.actions.githubusercontent.com' -Name "$PrincipalName-main" -Subject "$subjectRepoMain"
$subjectRepoPR = "repo:" + $Organization + "/" + $Repository + ":pull_request"
New-AzADAppFederatedCredential -ApplicationObjectId $appObjectId -Audience api://AzureADTokenExchange -Issuer 'https://token.actions.githubusercontent.com' -Name "$PrincipalName-PR" -Subject "$subjectRepoPR"

New-AzADAppFederatedCredential -ApplicationObjectId $objectId -Audience api://AzureADTokenExchange -Issuer 'https://token.actions.githubusercontent.com' -Name "$PrincipalName-PR" -Subject "$subjectRepoPR"
Write-Host "AZURE_TENANT_ID: $tenantId"
Write-Host "AZURE_SUBSCRIPTION_ID: $SubscriptionId"
Write-Host "AZURE_CLIENT_ID: $clientId"
```
In GitHub repo environment: Add the az login secrets:
- AZURE_CLIENT_ID
- AZURE_TENANT_ID
- AZURE_SUBSCRIPTION_ID

## Azure DevOps Pipelines (.azure-devops folder)
Azure DevOps pipelines require an Azure Service Connection to authenticate and deploy resources to Azure.
Expand Down Expand Up @@ -265,7 +268,7 @@ The key differences between Entity Framework (EF) and Semantic Kernel memory:
- SM: Use SM for long-term memory, chatbots, question-answering systems, and information retrieval.

# Contact
* [GitHub Repo](https://www.github.com/goodtocode/templates)
* [GitHub Repo](https://www.github.com/goodtocode/semantickernel-microservice)
* [@goodtocode](https://www.twitter.com/goodtocode)
* [github.com/goodtocode](https://www.github.com/goodtocode)

Expand Down
Loading