{"id":19522903,"url":"https://github.com/techwatching/azuredevopsworkloadidentity","last_synced_at":"2025-07-04T13:05:37.815Z","repository":{"id":196124315,"uuid":"692896843","full_name":"TechWatching/AzureDevOpsWorkloadIdentity","owner":"TechWatching","description":"Infrastructure code to provision an Azure DevOps project with an Azure Pipelines workflow pipeline ready to deploy to Azure using oidc","archived":false,"fork":false,"pushed_at":"2023-09-20T23:24:34.000Z","size":11,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-08T14:18:44.745Z","etag":null,"topics":["azure","azure-devops","azure-pipelines","dotnet","openid-connect","pulumi"],"latest_commit_sha":null,"homepage":"https://www.techwatching.dev/posts/ado-workload-identity-federation","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/TechWatching.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-09-17T22:51:47.000Z","updated_at":"2024-11-28T22:54:38.000Z","dependencies_parsed_at":"2023-09-21T12:37:49.631Z","dependency_job_id":"94aa8db5-1982-456c-801d-de41e7edd3f3","html_url":"https://github.com/TechWatching/AzureDevOpsWorkloadIdentity","commit_stats":null,"previous_names":["techwatching/azuredevopsworkloadidentity"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TechWatching%2FAzureDevOpsWorkloadIdentity","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TechWatching%2FAzureDevOpsWorkloadIdentity/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TechWatching%2FAzureDevOpsWorkloadIdentity/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/TechWatching%2FAzureDevOpsWorkloadIdentity/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/TechWatching","download_url":"https://codeload.github.com/TechWatching/AzureDevOpsWorkloadIdentity/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240771903,"owners_count":19854982,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","azure-devops","azure-pipelines","dotnet","openid-connect","pulumi"],"created_at":"2024-11-11T00:41:29.514Z","updated_at":"2025-02-26T00:49:05.232Z","avatar_url":"https://github.com/TechWatching.png","language":"C#","readme":"# Sample code for the article \"Deploying to Azure from Azure DevOps without secrets\"\n\n## What is it?\n\nThis repository contains the code used in this [blog article](https://www.techwatching.dev/posts/ado-workload-identity-federation) that talks about provisioning an Azure DevOps project that has everything correctly configured to provision Azure resources or deploy applications to Azure from an Azure Pipelines workflow.\n\nThis code is a Pulumi .NET program that can be executed from the Pulumi CLI. When you execute it, it will provision the following resources:\n- an Azure Project configured with a Git repository, an ARM service connection and a pre-configured pipeline\n- a Microsoft Entra ID app registration, its associated Service Principal and a Federated Identity Credential\n\n![azuredevopsoidc_schema_2](https://github.com/TechWatching/AzureDevOpsWorkloadIdentity/assets/15186176/51d063a8-0dbd-4c13-94b8-63f71d98ce5e)\n\nI suggest you to read [the article](https://www.techwatching.dev/posts/ado-workload-identity-federation) before using this code. And if you are not familiar with Pulumi you should check their [documentation](https://www.pulumi.com/docs/) or [learning pathways](https://www.pulumi.com/learn/) too.\n\n## How to use it ?\n\n### Prerequisites\n\nYou can check [Pulumi documentation](https://www.pulumi.com/docs/get-started/azure/begin/) to set up your environment.\nYou will have to install on your machine:\n- Pulumi CLI\n- Azure CLI\n- .NET\n\nYou will need an Azure DevOps organization, an Azure subscription, and access to a Microsoft Entra ID.\n\nYou can use any [backend](https://www.pulumi.com/docs/intro/concepts/state/) for your Pulumi program (to store the state and encrypt secrets) but I suggest you to use the default backend: the Pulumi Cloud. It's free for individuals, you will just need to create an account on Pulumi website. If you prefer to use an Azure Blob Storage backend with an Azure Key Vault as the encryption provider you can check [this article](https://www.techwatching.dev/posts/pulumi-azure-backend).\n\nBefore executing the program you need to modify the configuration of the stack (contained in the `Pulumi.dev.yaml` file) to set the Pulumi and the GitHub tokens. You can do that by executing the following commands:\n\n```pwsh\npulumi config set --secret pulumiTokenForRepository yourpulumicloudtoken\npulumi config set azuredevops:orgServiceUrl yourazuredevopsorganizationurl --secret\npulumi config set azuredevops:personalAccessToken yourazuredevopspat --secret\n```\nEnsure you are connected to the Azure CLI with the account and on the subscription where you want to provision the resources (you can run the `az account show` command to display the information).  \n\nYou can also modify the `Program.cs` file to use the names you want for your resources.\n\n### Execute the Pulumi program\n\n- clone this repository\n- log on to your Azure account using Azure CLI\n- log on to your Pulumi backend using Pulumi CLI\n- install the dependencies\n- run this command `pulumi up`\n\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftechwatching%2Fazuredevopsworkloadidentity","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftechwatching%2Fazuredevopsworkloadidentity","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftechwatching%2Fazuredevopsworkloadidentity/lists"}