OIDC with Azure

How to authenticate the env0 runner using Azure AD and OIDC

This guide is to help you connect to Azure with OIDC, instead of using a Service Principal.

Overview

This guide will show you how to create an Azure AD App, configure a Federated Credential, and configure env0 to utilize OIDC with your Terraform code. The federated credential within the Azure AD app will be configured to accept env0's OIDC token. Refer to OIDC Integrations for more background on env0's OIDC configuration.

Azure AD App + Federated Credential

The Azure AD App will be configured with a Federated Credential in order to accept env0 OIDC token. Using the Azure Portal:

  1. Azure Active Directory > App registrations > "+ New Registration"
    1. Enter Name: e.g. "env0 OIDC app"
    2. Select Supported account types if you're unsure, choose “Single tenant”
    3. Skip Redirect URI
    4. Register the app.
  2. Note your Application (client) ID (ARM_CLIENT_ID) and Directory (tenant) ID ( ARM_TENANT_ID)
    1. ARM_TENANT_ID=f3450d00-1632-47b8-ab1b-c7c1617ef6cd
    2. ARM_CLIENT_ID=e701f066-c866-4321-9adc-1089dcae9ff5
  3. Under the “env0 OIDC app” > “Certificates and Secrets” > “Federated credentials”
    1. “+ Add credential”
    2. Federated Credential Scenario - Other issuer
    3. Issuer - <https://login.app.env0.com/>
    4. Subject Identifier - auth0|xxxxxx (see section below on “Retrieving your Subject Identifier”)
    5. Name - enter a name (e.g. "env0 OIDC")
  4. For the Azure Provider in Terraform we need to specify the following variables:
    1. ARM_TENANT_ID - you can find the value in your app registration summary (”env0 OIDC app”) under “Directory (tenant) ID”
    2. ARM_CLIENT_ID - you can find the value in your app registration summary (”env0 OIDC app”) under “Application (client) ID”
    3. ARM_SUBSCRIPTION_ID - You can retrieve the Subscription ID from the Azure Subscription, or in a Resource Group that you want to use.

Azure App AD App Permissions

In order for Terraform to be able to deploy and manage the resources, we need to associate your Azure AD App with your Subscription or Resource Group

  1. In this example, I will give the “env0 OIDC app” the “Contributor” role in my “sales-acme-demo” resource group. This means that env0 will only be able to create and manage resources within this resource group.
  2. Go to the Resource Group (”sales-acme-demo”) > Access Control (IAM)
  3. Click on “+ Add” > “Add role assignment”
  4. Select a role (the level of privilege to give to Terraform) - in this case, we choose “Contributor” and hit “Next”
  5. Assign access to “User, group, or service principal”
  6. Select a member by “+ Select Members”
  7. search for “env0 OIDC app” and hit “Select”
  8. Hit "Review + assign"

Configure your Terraform Code w/ OIDC

In Terraform, you can choose to specify the required parameters in the provider block or simply use the equivalent Environment Variable. More details on the arguments can be found in the official Terraform Registry for Azure here.

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">=3.7.0"
    }
  }
}

# Configure the Microsoft Azure Provider
provider "azurerm" {
  features {}

  #subscription_id = "b48787a1-7145-425f-99af-62cde6c50e31"  #ARM_SUBSCRIPTION_ID
  #client_id       = "bad8b508-6b13-4999-9149-e547585b2686"  #ARM_CLIENT_ID
  #tenant_id       = "f3450d00-1632-47b8-ab1b-c7c1617ef6cd"  #ARM_TENANT_ID
  #use_oidc        = true  #ARM_USE_OIDC
  #oidc_token      = var.oidc_token  #ARM_OIDC_TOKEN
}

Make sure you use a version of the Azure provider greater than 3.7.0. OIDC did not work for “=3.7.0”

Retrieving your Subject Identifier

env0 OIDC token contains a unique Subject Identifier per env0 Organization.
To retrieve your organization’s unique Subject Identifier:

  1. “Enable OIDC”
    1. Under Organization > Settings > Policy - Check “Enable OIDC during deployments”
  2. Go to an existing environment and “Run a Task”
  3. Run the following command: echo $ENV0_OIDC_TOKEN | base64

  4. Copy and Base64 Decode the Token: echo “ZVXMU5pSXNJblI1Y0NJNklrcFhWQ0lzSW10cFpDSTZJazETmEwWkdU…” | base64 -d
  5. Copy the Token and Inspect the decoded token using jwt.io
  6. Copy the Subject Identifier (”sub”): auth0|632b8219674bde0224a96141