GitHub Actions with Entra Workload Identity Federation

Workload Identity Federation (let’s just call this WIF) allows app principals not residing within Azure to request short lived access tokens. This removes the need of storing client secrets or certificates within GitHub as Action secrets. One drawback ist that currently only the Azure modules support the usage of WIF.

How it works

Azure AD workflow identity federation configuration.

A GitHub IdP issued token (decoded) contains the following information:

"jti": "1a9fe224-c936-46f6-a38b-3300e76251b0",
"sub": "repo:nicolonsky/musical-octo-telegram:ref:refs/heads/main",
"aud": "api://AzureADTokenExchange",
"ref": "refs/heads/main",
"sha": "9f112c0b82547e35b10250d7f3165789bf97862f",
"repository": "nicolonsky/musical-octo-telegram",
"repository_owner": "nicolonsky",
"repository_owner_id": "32899754",
"run_id": "3986560796",
"run_number": "2",
"run_attempt": "2",
"repository_visibility": "private",
"repository_id": "592303002",
"actor_id": "32899754",
"actor": "nicolonsky",
"workflow": ".github/workflows/wif.yaml",
"head_ref": "",
"base_ref": "",
"event_name": "push",
"ref_type": "branch",
"workflow_ref": "nicolonsky/musical-octo-telegram/.github/workflows/wif.yaml@refs/heads/main",
"workflow_sha": "9f112c0b82547e35b10250d7f3165789bf97862f",
"job_workflow_ref": "nicolonsky/musical-octo-telegram/.github/workflows/wif.yaml@refs/heads/main",
"job_workflow_sha": "9f112c0b82547e35b10250d7f3165789bf97862f",
"iss": "",
"nbf": 1674486850,
"exp": 1674487750,
"iat": 1674487450

Did you recognize the matching sub attribute within the GitHub issued token and the Azure AD configuration? For a successful authentication the:

  • Token issuer: iss
  • Subject: sub
  • Audience: aud

must match (besides some standard OIDC claims like the validity epoch-time).

By sending the GitHub ID token via HTTP POST to the Azure AD token endpoint with some additional metadata we can exchange the GitHub ID token with an Azure AD access token:

'Content-Type': 'application/x-www-form-urlencoded'
scope: '',
client_id: {CLIENT_ID},
client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
grant_type: 'client_credentials',
client_assertion: {GITHUB_ID_TOKEN}

From an Open ID Connect perspective this is just another specialization of the client_credentials flow.

As a response we receive the requested Azure AD access token, in this case I requested the token for the Microsoft Graph API:

"aud": "",
"iss": "",
"iat": 1674487150,
"nbf": 1674487150,
"exp": 1674491050,
"aio": "E2ZgYPhp8niXNfv9G2K3W2LUy15nAAA=",
"app_displayname": "GitHub Workflow Identity Federation Example",
"appid": "504fd139-6825-4e25-ad7a-627f100ab466",
"appidacr": "2",
"idp": "",
"idtyp": "app",
"oid": "a7538a92-ba98-4678-9374-f4a79b85c28f",
"roles": [
"sub": "a7538a92-ba98-4678-9374-f4a79b85c28f",
"tenant_region_scope": "EU",
"tid": "30204efd-acb7-41a7-9fe9-233cec0556c1",
"uti": "X2K54jgbIUKog5IhWrZNAA",
"ver": "1.0",
"wids": [
"xms_tcdt": 1645079402,
"xms_tdbr": "EU"

Wiring up my first GitHub Action step

You can find the Action directly in the GitHub Marketplace:

Azure AD Workload Identity Federation · Actions · GitHub Marketplace

Writing the Action was quite fun but also simple, because GitHub provides a nice toolkit to write custom Actions in JavaScript: actions/toolkit: The GitHub ToolKit for developing GitHub Actions.

Here a simple example about how to use the action with the Microsoft Graph PowerShell SDK:

on: [push]

id-token: write
contents: read

runs-on: ubuntu-latest
name: WIF Example
- name: Azure AD Workload Identity Federation
uses: nicolonsky/WIF@v0.0.2
tenant_id: '30204efd-acb7-41a7-9fe9-233cec0556c1'
client_id: '504fd139-6825-4e25-ad7a-627f100ab466'
- name: Do some Stuff
run: |
Install-Module -Name Microsoft.Graph.Authentication
Connect-MgGraph -AccessToken $env:ACCESS_TOKEN
Invoke-MgGraphRequest -Uri '/beta/organization' | Select-Object -ExpandProperty value
shell: pwsh

Pretty cool and another step towards pass-, ooh, I mean credential-less world! 😉

Additional information



Interested in endpoint management, security, identity and automation. #Intune #AzureAD #Defender #PowerShell #Azure

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Interested in endpoint management, security, identity and automation. #Intune #AzureAD #Defender #PowerShell #Azure