Support azure oidc using github token (#2113)

Co-authored-by: Edward J <edw@defang.io>

Author: edwardrf

src/pkg/clouds/azure/login.go

@@ -17,6 +17,7 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armsubscriptions"
 	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/cache"
 	"github.com/AzureAD/microsoft-authentication-library-for-go/apps/public"
+	"github.com/DefangLabs/defang/src/pkg/github"
 	"github.com/DefangLabs/defang/src/pkg/term"
 	"github.com/DefangLabs/defang/src/pkg/tokenstore"
 )
@@ -33,6 +34,11 @@ const (
 	// msalCacheKey is the TokenStore key holding MSAL's serialized cache blob
 	// (one blob per defang installation covers all accounts MSAL tracks).
 	msalCacheKey = "azure-msal-cache"
+	// githubFederationAudience is the audience Entra requires on a GitHub
+	// Actions OIDC token to honor a federated identity credential. The FIC
+	// provisioned by the Defang portal's Azure wizard explicitly trusts this
+	// audience; matches the value the `azure/login@v2` GitHub Action uses.
+	githubFederationAudience = "api://AzureADTokenExchange"
 )
 
 // defangMSALCache adapts defang's file-based TokenStore to MSAL's
@@ -108,6 +114,10 @@ func (c *msalCred) GetToken(ctx context.Context, opts policy.TokenRequestOptions
 }
 
 // Authenticate sets up Azure credentials for the session in order of preference:
+//  0. GitHub Actions OIDC — when ACTIONS_ID_TOKEN_REQUEST_URL is set and the
+//     stack file's AZURE_CLIENT_ID + AZURE_TENANT_ID identify a federated
+//     UAMI, exchange the GitHub OIDC token for an ARM token. Mirrors the GCP
+//     path in pkg/clouds/gcp/login.go::findGithubCredentials.
 //  1. Existing default Azure credentials — env vars (AZURE_TENANT_ID/CLIENT_ID/
 //     CLIENT_SECRET), managed identity, workload identity, an `az login`
 //     session picked up via AzureCLICredential, etc.
@@ -118,9 +128,9 @@ func (c *msalCred) GetToken(ctx context.Context, opts policy.TokenRequestOptions
 //     On success the refresh token is written to the cache so step 2 works
 //     on the next invocation.
 //
-// On success a.Cred is populated with an msalCred (for path 2/3) or a
-// DefaultAzureCredential wrapper (path 1). Both honor per-scope GetToken
-// requests from the Azure SDK.
+// On success a.Cred is populated with an msalCred (for path 2/3), a
+// ClientAssertionCredential (path 0), or a DefaultAzureCredential wrapper
+// (path 1). All honor per-scope GetToken requests from the Azure SDK.
 func (a *Azure) Authenticate(ctx context.Context, interactive bool) error {
 	if a.SubscriptionID == "" {
 		a.SubscriptionID = os.Getenv("AZURE_SUBSCRIPTION_ID")
@@ -129,6 +139,19 @@ func (a *Azure) Authenticate(ctx context.Context, interactive bool) error {
 		return errors.New("AZURE_SUBSCRIPTION_ID is required for Azure login")
 	}
 
+	// 0. GitHub Actions OIDC (federated identity credential).
+	term.Debug("checking GitHub Actions OIDC credentials...")
+	if cred, err := a.tryGithubOIDC(ctx); err != nil {
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+		term.Debugf("GitHub OIDC credential invalid: %v", err)
+	} else if cred != nil {
+		term.Debug("authenticated via GitHub Actions OIDC")
+		a.Cred = cred
+		return nil
+	}
+
 	// 1. DefaultAzureCredential (az cli session, env vars, managed identity, …).
 	term.Debug("checking default Azure credentials...")
 	if cred, err := a.tryDefaultCredential(ctx); err != nil {
@@ -230,6 +253,41 @@ func (a *Azure) trySilentMSAL(ctx context.Context, client public.Client, tenant
 	return nil, nil
 }
 
+// tryGithubOIDC builds a credential that federates the GitHub Actions
+// workflow's OIDC token into an Azure ARM token. Equivalent to running an
+// `azure/login@v2` step, but driven entirely from env vars in the Defang
+// stack file (AZURE_CLIENT_ID, AZURE_TENANT_ID) plus the standard GitHub
+// Actions OIDC plumbing (ACTIONS_ID_TOKEN_REQUEST_URL / _TOKEN).
+//
+// Returns (nil, nil) silently when not running in GitHub Actions OIDC, or
+// when AZURE_CLIENT_ID / AZURE_TENANT_ID aren't set — so Authenticate falls
+// through to the next credential option. Returns an error only when env
+// vars are present but the resulting credential fails to mint an ARM token
+// (e.g., the FIC's repo:branch subject doesn't match the current run).
+func (a *Azure) tryGithubOIDC(ctx context.Context) (azcore.TokenCredential, error) {
+	if os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") == "" {
+		return nil, nil
+	}
+	clientID := os.Getenv("AZURE_CLIENT_ID")
+	tenantID := os.Getenv("AZURE_TENANT_ID")
+	if clientID == "" || tenantID == "" {
+		return nil, nil
+	}
+	term.Debugf("AZURE_CLIENT_ID=%q AZURE_TENANT_ID=%q — attempting GitHub-OIDC federation", clientID, tenantID)
+
+	getAssertion := func(ctx context.Context) (string, error) {
+		return github.GetIdToken(ctx, githubFederationAudience)
+	}
+	cred, err := azidentity.NewClientAssertionCredential(tenantID, clientID, getAssertion, nil)
+	if err != nil {
+		return nil, fmt.Errorf("building GitHub-OIDC Azure credential: %w", err)
+	}
+	if err := testAzureCredential(ctx, a.SubscriptionID, cred); err != nil {
+		return nil, err
+	}
+	return cred, nil
+}
+
 // tryDefaultCredential constructs a DefaultAzureCredential and tests it
 // against the subscription. Returns (nil, nil) when the cred builds but
 // fails the permission check; returns (cred, nil) when it works.

src/pkg/clouds/azure/login_test.go

@@ -7,13 +7,20 @@ import (
 	"time"
 )
 
+// unsetEnv removes an env var for the duration of t. Unlike t.Setenv("", ""),
+// the variable is fully unset so callers using LookupEnv see ok=false.
+func unsetEnv(t *testing.T, key string) {
+	t.Helper()
+	if v, ok := os.LookupEnv(key); ok {
+		_ = os.Unsetenv(key)
+		t.Cleanup(func() { _ = os.Setenv(key, v) }) //nolint:usetesting
+	}
+}
+
 func TestAuthenticateMissingSubscriptionID(t *testing.T) {
 	// Fully unset AZURE_SUBSCRIPTION_ID for the duration of this test —
 	// t.Setenv("", ...) would leave it set-but-empty and LookupEnv returns true.
-	if v, ok := os.LookupEnv("AZURE_SUBSCRIPTION_ID"); ok {
-		_ = os.Unsetenv("AZURE_SUBSCRIPTION_ID")
-		t.Cleanup(func() { _ = os.Setenv("AZURE_SUBSCRIPTION_ID", v) }) //nolint:usetesting
-	}
+	unsetEnv(t, "AZURE_SUBSCRIPTION_ID")
 
 	a := &Azure{}
 	if err := a.Authenticate(context.Background(), false); err == nil {
@@ -24,6 +31,58 @@ func TestAuthenticateMissingSubscriptionID(t *testing.T) {
 	}
 }
 
+func TestTryGithubOIDC_NotInGithubActions(t *testing.T) {
+	// Outside a GH Actions runner the function must no-op (return nil, nil) so
+	// Authenticate falls through to DefaultAzureCredential. ACTIONS_ID_TOKEN_
+	// REQUEST_URL is the canonical "we're in Actions" sentinel.
+	unsetEnv(t, "ACTIONS_ID_TOKEN_REQUEST_URL")
+	t.Setenv("AZURE_CLIENT_ID", "client-id")
+	t.Setenv("AZURE_TENANT_ID", "tenant-id")
+
+	a := &Azure{SubscriptionID: "sub-id"}
+	cred, err := a.tryGithubOIDC(context.Background())
+	if err != nil {
+		t.Fatalf("expected nil error when not in Actions, got %v", err)
+	}
+	if cred != nil {
+		t.Error("expected nil credential when not in Actions")
+	}
+}
+
+func TestTryGithubOIDC_MissingClientID(t *testing.T) {
+	// Even when ACTIONS_ID_TOKEN_REQUEST_URL is set, AZURE_CLIENT_ID is required
+	// to know which UAMI to federate as. Without it, fall through silently.
+	t.Setenv("ACTIONS_ID_TOKEN_REQUEST_URL", "https://example.invalid")
+	unsetEnv(t, "AZURE_CLIENT_ID")
+	t.Setenv("AZURE_TENANT_ID", "tenant-id")
+
+	a := &Azure{SubscriptionID: "sub-id"}
+	cred, err := a.tryGithubOIDC(context.Background())
+	if err != nil {
+		t.Fatalf("expected nil error when AZURE_CLIENT_ID is missing, got %v", err)
+	}
+	if cred != nil {
+		t.Error("expected nil credential when AZURE_CLIENT_ID is missing")
+	}
+}
+
+func TestTryGithubOIDC_MissingTenantID(t *testing.T) {
+	// AZURE_TENANT_ID identifies which Entra tenant to exchange the OIDC
+	// token at; without it the federation has no destination. Fall through silently.
+	t.Setenv("ACTIONS_ID_TOKEN_REQUEST_URL", "https://example.invalid")
+	t.Setenv("AZURE_CLIENT_ID", "client-id")
+	unsetEnv(t, "AZURE_TENANT_ID")
+
+	a := &Azure{SubscriptionID: "sub-id"}
+	cred, err := a.tryGithubOIDC(context.Background())
+	if err != nil {
+		t.Fatalf("expected nil error when AZURE_TENANT_ID is missing, got %v", err)
+	}
+	if cred != nil {
+		t.Error("expected nil credential when AZURE_TENANT_ID is missing")
+	}
+}
+
 func TestAuthenticateNonInteractiveFailsWithInvalidSubscription(t *testing.T) {
 	// An unknown subscription ID: the test call to ARM fails (either because
 	// the subscription doesn't exist or because the caller has no credentials