0

I am trying to automate rotation of client secret for an Azure app using a Github Workflow. This Workflow will create a new client secret in ever 90 days and update the secret which is stored in a KV. But after creating a workflow and successful login into Azure using OIDC, I get the following error: Run CLIENT_SECRET=$(az ad app credential reset --id "***" --append --display-name "GitHubWorkflowSecret" --end-date "$(date -u -d '+90 days' +'%Y-%m-%dT%H:%M:%SZ')") ERROR: Insufficient privileges to complete the operation.

I created a federated credentials for OIDC for Github Workflow and used it in the workflow like mentioned in the github documentation (https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure):

name: Azure OIDC Workflow

on:
  push:
    branches:
      - "***"

permissions:
  id-token: write
  contents: read

jobs:
  create-client-secret-and-update-kv:
    runs-on: "***"
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Login to Azure using OIDC
        uses: azure/login@v1
        with:
          client-id: "***"
          tenant-id: "****"
          allow-no-subscriptions: true

      - name: Create Client Secret for Azure AD App
        id: create-secret
        run: |
          CLIENT_SECRET=$(az ad app credential reset --id "***" --append --display-name "GitHubWorkflowSecret" --end-date "$(date -u -d '+90 days' +'%Y-%m-%dT%H:%M:%SZ')")

I had to bypass subscription_id because the app is a service principle. I could login but the step where I am trying to create a client secret is failing due to insufficient privileges. I thought having a federated OIDC secret would be enough to at least get the permission to create a client secret, but it isn't the case. Apologies if this is a dumb question, I am new to Azure and confused about why there is an issue with permission here. Some guidance would be of great help to me. Thanks!

Improve this question

2 Answers 2

Reset to default
0

It's an Authentication versus Authorization problem.

Think of an App Registration like a service-account. It's an identity for a specific application.

All resources in Azure support Role Based Access Control (RBAC) which allows you to assign identities (users, groups, devices) a set of roles (permissions). A role is a set of allowed/disallowed "actions" an identity can perform.

Just because you can login using an identity (Authentication) doesn't mean you are granted permissions (Authorization) to manage that identity.

In order to manipulate all aspects for the App Registration, an identity would need to be granted the Application Administrator role on the identity.

Note that this is a privileged role and may be susceptible to extra scrutiny by your IT organization. It is also possible to create a custom role that only has the microsoft.directory/applications/credentials/update action, which might have less friction.

EDIT:

Also note that if you're attempting to update the client secret used by the current app registration, this shouldn't be necessary if you're using OIDC. By definition, ODIC enables GitHub and Entra to communicate and use api://ADSTokenExchange to create a short-lived access token that is valid for the duration of the pipeline. No client secrets are needed going forward

With OpenID Connect (OIDC), you can take a different approach by configuring your workflow to request a short-lived access token directly from the cloud provider. Your cloud provider also needs to support OIDC on their end, and you must configure a trust relationship that controls which workflows are able to request the access tokens. Providers that currently support OIDC include Amazon Web Services, Azure, Google Cloud Platform, and HashiCorp Vault, among others.

See here on how to setup the Federated Credential on your App Registration for GitHub Actions.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thank You Bryan for answering the question. I can now understand why I could login but not get to create a new client secret. That said, I am still not sure how to assign a role to a Github Workflow if the way it interacts with Azure is by short-lived tokens? P.S: As mentioned, I want to use the Github workflow to automatically rotate client secret after a time period and store it in a KV for some other use.
You are not assigning the permissions to the GitHub workflow. You are assigning the permissions to the Azure App Registration (CLIENT ID) that your workflow uses. The azure/login task has the logic to perform the token exchange on your behalf.
0

It should be possible with the correct API permissions for the Graph API. You need one of the following Permissions to do your request:

  • Application.ReadWrite.OwnedBy
  • Application.ReadWrite.All
  • Directory.ReadWrite.All

Reference at Microsoft

The API permissions need to be added to your App Registration that you created for your GitHub Workflow. In the end it should look like the image at the bottom. enter image description here

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.