OIDC With Azure
How to authenticate the env0 runner using Azure AD and OIDC
This guide is to help you connect to Azure with OIDC, instead of using a Service Principal.
Overview
This guide will show you how to create an Azure AD App, configure a Federated Credential, and configure env0 to utilize OIDC with your Terraform code. The federated credential within the Azure AD app will be configured to accept env0's OIDC token. Refer to OIDC Integrations for more background on env0's OIDC configuration.
Azure AD App + Federated Credential
The Azure AD App will be configured with a Federated Credential in order to accept env0 OIDC token. Using the Azure Portal:
- Azure Active Directory > App registrations > "+ New Registration"
- Enter Name: e.g. "env0 OIDC app"
- Select Supported account types if you're unsure, choose âSingle tenantâ
- Skip Redirect URI
- Register the app.
- Note your Application (client) ID (
ARM_CLIENT_ID) and Directory (tenant) ID (ARM_TENANT_ID)ARM_TENANT_ID=f3450d00-1632-47b8-ab1b-c7c1617ef6cdARM_CLIENT_ID=e701f066-c866-4321-9adc-1089dcae9ff5
- Under the âenv0 OIDC appâ > âCertificates and Secretsâ > âFederated credentialsâ
- â+ Add credentialâ
- Federated Credential Scenario - Other issuer
- Issuer -
https://login.app.env0.com/ - Subject Identifier -
auth0|xxxxxx(see the section below on âRetrieving your Subject Identifierâ) - Name - enter a name (e.g. "env0 OIDC")
- Audience -
https://prod.env0.com
- For the Azure Provider in Terraform, we need to specify the following variables:
ARM_TENANT_ID- you can find the value in your app registration summary (âenv0 OIDC appâ) under âDirectory (tenant) IDâARM_CLIENT_ID- you can find the value in your app registration summary (âenv0 OIDC appâ) under âApplication (client) IDâARM_SUBSCRIPTION_ID- You can retrieve the Subscription ID from the Azure Subscription, or in a Resource Group that you want to use.
Azure App AD App Permissions
In order for Terraform to be able to deploy and manage the resources, we need to associate your Azure AD App with your Subscription or Resource Group
- In this example, I will give the âenv0 OIDC appâ the âContributorâ role in my âsales-acme-demoâ resource group. This means that env0 will only be able to create and manage resources within this resource group.
- Go to the Resource Group (âsales-acme-demoâ) > Access Control (IAM)
- Click on â+ Addâ > âAdd role assignmentâ
- Select a role (the level of privilege to give to Terraform) - in this case, we choose âContributorâ and hit âNextâ
- Assign access to âUser, group, or service principalâ
- Select a member by â+ Select Membersâ
- Search for âenv0 OIDC appâ and hit âSelectâ
- Hit "Review + assign"
Configure your Terraform Code w/ OIDC
In Terraform, you can specify the required parameters in the provider block or use the equivalent Environment Variable. More details on the arguments can be found in the official Terraform Registry for Azure here.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">=3.7.0"
}
}
}
# Configure the Microsoft Azure Provider
provider "azurerm" {
features {}
#subscription_id = "b48787a1-7145-425f-99af-62cde6c50e31" #ARM_SUBSCRIPTION_ID
#client_id = "bad8b508-6b13-4999-9149-e547585b2686" #ARM_CLIENT_ID
#tenant_id = "f3450d00-1632-47b8-ab1b-c7c1617ef6cd" #ARM_TENANT_ID
#use_oidc = true #ARM_USE_OIDC
#oidc_token = var.oidc_token #ARM_OIDC_TOKEN
}
In env0, you will need to add a Custom Flow (env0.yaml) to set the OIDC variable that the Azure Provider is expecting ARM_OIDC_TOKEN
version: 1
deploy:
steps: &OIDC
setupVariables:
after:
- echo "ARM_OIDC_TOKEN=$ENV0_OIDC_TOKEN" >> $ENV0_ENV
destroy:
steps: *OIDC
version: 2
deploy:
steps: &OIDC
setupVariables:
after:
- name: Setup OIDC Token
run: echo "ARM_OIDC_TOKEN=$ENV0_OIDC_TOKEN" >> $ENV0_ENV
destroy:
steps: *OIDC
Azure Provider Version
Make sure you use a version of the Azure provider greater than 3.7.0.
OIDC did not work for â=3.7.0â
Refer to this guide to retrieve your sub identifier.
Updated 6 months ago