OIDC With Azure
How to authenticate the env0 runner using Azure AD and OIDC
This guide is to help you connect to Azure with OIDC, instead of using a Service Principal.
Overview
This guide will show you how to create an Azure AD App, configure a Federated Credential, and configure env0 to utilize OIDC. The federated credential within the Azure AD app will be configured to accept env0's OIDC token. Refer to OIDC Integrations for more background on env0's OIDC configuration.
Azure AD App + Federated Credential
The Azure AD App will be configured with a Federated Credential in order to accept env0 OIDC token. Using the Azure Portal:
- Microsoft Entra ID > App registrations > "+ New Registration"
- Enter Name: e.g. "env0 OIDC app"
- Select Supported account types if you're unsure, choose โSingle tenantโ
- Skip Redirect URI
- Register the app.
- Note your Application (client) ID (
ARM_CLIENT_ID
) and Directory (tenant) ID (ARM_TENANT_ID
)ARM_TENANT_ID=f3450d00-1632-47b8-ab1b-c7c1617ef6cd
ARM_CLIENT_ID=e701f066-c866-4321-9adc-1089dcae9ff5
- Under the โenv0 OIDC appโ > โCertificates and Secretsโ > โFederated credentialsโ
- โ+ Add credentialโ
- Federated Credential Scenario - Other issuer
- Issuer -
https://login.app.env0.com/
- Subject Identifier -
auth0|xxxxxx
(see the section below on โRetrieving your Subject Identifierโ) - Name - enter a name (e.g. "env0 OIDC")
- Audience -
https://prod.env0.com
- For the Azure Provider in Terraform, we need to specify the following variables:
ARM_TENANT_ID
- you can find the value in your app registration summary (โenv0 OIDC appโ) under โDirectory (tenant) IDโARM_CLIENT_ID
- you can find the value in your app registration summary (โenv0 OIDC appโ) under โApplication (client) IDโARM_SUBSCRIPTION_ID
- You can retrieve the Subscription ID from the Azure Subscription, or in a Resource Group that you want to use.
Azure App AD App Permissions
In order for Terraform to be able to deploy and manage the resources, we need to associate your Azure AD App with your Subscription or Resource Group
- In this example, I will give the โenv0 OIDC appโ the โContributorโ role in my โsales-acme-demoโ resource group. This means that env0 will only be able to create and manage resources within this resource group.
- Go to the Resource Group (โsales-acme-demoโ) > Access Control (IAM)
- Click on โ+ Addโ > โAdd role assignmentโ
- Select a role (the level of privilege to give to Terraform) - in this case, we choose โContributorโ and hit โNextโ
- Assign access to โUser, group, or service principalโ
- Select a member by โ+ Select Membersโ
- Search for โenv0 OIDC appโ and hit โSelectโ
- Hit "Review + assign"
Configure Env0 OIDC Credential
Go to the organization's credentials page and create a new deployment credential. Select Azure OIDC
type and enter the following fields:
Subscription ID
- Azure subscription idTenant ID
- Azure tenant idClient ID
- Azure client id
Azure Provider Version
Make sure you use a version of the Azure provider greater than 3.7.0.
OIDC did not work for โ=3.7.0โ
Updated 2 months ago