I think the use case for setting the Issue to something besides the default is when you're using your own instance of Github. Also, it would have been useful to show the part where you gave the registered App the permissions it needed to do what it needed to do. For some reason I forgot that you didn't show it and was trying to figure out why it wasn't working. You need the role set in order for it to see or do what it needs to do first. In my case this was not for applying terraform but at least showing that would have given me a bit more context for what was needed here.
Azure AD (Entra ID) doesn't support wildcards, so you need to add a federated credential for each repo, branch, and PR. I don't love that, but you can use Terraform to do it for you!
Do you have a TT video that does exactly this but uses Azure DevOps Pipelines and configuration with Azure DevOps Service Connection. Essentially a clone of this but not using GHA ? Or are the changes to take this and change to ADO 90% the same plus the differences?
The main point is to remove long lived passwords/credentials. There's good documentation from Github on how to set it up: docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
jeez, this guy is a serious pro. nice videos and amazing explanations.
Wow, thanks!
I think the use case for setting the Issue to something besides the default is when you're using your own instance of Github.
Also, it would have been useful to show the part where you gave the registered App the permissions it needed to do what it needed to do. For some reason I forgot that you didn't show it and was trying to figure out why it wasn't working. You need the role set in order for it to see or do what it needs to do first. In my case this was not for applying terraform but at least showing that would have given me a bit more context for what was needed here.
Thanks for the feedback Mike. Sorry for the confusion!
@@NedintheCloud All good, you got me the majority of the way to figuring out how to use this to begin with. Much appreciated.
Thanks for covering this topic. Great content
Thanks Ned. The content is super useful.. and this is what I was looking for..
Thanks for this topic. how to use multi repo for single federated credentials and how to manage subject cliam in that condition
Azure AD (Entra ID) doesn't support wildcards, so you need to add a federated credential for each repo, branch, and PR. I don't love that, but you can use Terraform to do it for you!
Ned, do you have a video/example using ADO pipeline parameter values getting passed as a variable in your variables.tf. Thanks.
Do you have a TT video that does exactly this but uses Azure DevOps Pipelines and configuration with Azure DevOps Service Connection. Essentially a clone of this but not using GHA ? Or are the changes to take this and change to ADO 90% the same plus the differences?
Service connections in Azure DevOps now support OIDC natively, so you don't have to set up a service principal and federated credentials.
This for Azure AD
I don't know how to do this on AWS Cloud. What will change?
The main point is to remove long lived passwords/credentials. There's good documentation from Github on how to set it up: docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
Many thanks ❤
hi Need could do a video of this same implementation in google cloud please?
I already did it, he,hehe