In my experience, the most straight forward way to allow your Github Action permissions to alter resources in your Azure instance is using the Azure Login step
This will login the Github Action Agent and all subsequent Azure CLI commands will be in the context of the logged in Service Principal
Run the following command to generate a service principal
az ad sp create-for-rbac --name "jd-static-web-app-test" --role contributor \
--scopes /subscriptions/0756c28d-551e-4b03-949e-3b2534b29712/resourceGroups/jd-static-web-app-test \
--sdk-authAzure CLI will return a json of the newly created service principal which now has access to the resource group you defined.
This Service Principal will have Contributor rights to your resource group and will allow you to alter resources.
This is especially useful when trying to automate deployments via Github Actions.
Secrets
The save the returned json from azure cli as a Secret in your Github Repo named AZURE_CREDENTIALS
You can now add the Azure Login Task that will authenticate Azure CLI in the Github Agent with the secret information.
- name: Azure Login
uses: Azure/login@v1
with:
# Paste output of `az ad sp create-for-rbac` as value of secret variable: AZURE_CREDENTIALS
creds: ${{ secrets.AZURE_CREDENTIALS }}Azure CLI
Now all subsequent calls will use the logged in service principal when executing any Azure CLI commands.
Upload Static Site to Storage Account
Assuming you have a build output of your static web app. You man upload the generated output/build folder using Github Actions to an Azure Storage Account.
You can use the Azure CLI command and upload to your storage account via the following command
- name: Azure CLI Action
uses: Azure/cli@1.0.4
with:
# Specify the script here
inlineScript: az storage blob sync --account-name jdstaticwebapptest --source build --container testThanks for reading!
Jonathan