Azure login for multiple resource groups

hi,

I have multiple resource groups in one subscription,

I would like to give flexibility to devs to enter their own resource group as input to workflow to deploy the Azure function code but currently, I am using azure login action but I see a limitation here.

Azure SPN can only link with one resource group at a time but in my case, I have 10 devs everyone has their own resource group as parameter to Deploy workflow, how to log in via GitHub actions if I use azure login actions rather Shall I use az set CLI commands to login from the workflow ?

You should be able to grant the Service Principal access to more than one Resource Group. You could even grant it access to the whole subscription.

Have a look at the scopes parameter https://docs.microsoft.com/en-us/cli/azure/ad/sp

I have 5 environments in the project and I have SPN for each env and created 5 Azure credentials to login with env specific condition.
is there a way parse JSON info
like clientId, secret, tenantId, subId and construct credential dynamically based on env input

Azure_creds as Secret

cred.json
{
“subscription”:{
“dev_01”:{
“clientId”:“xxxxx”,
“clientSecret”:“xxxxxx”,
“tenantId”:“xxxxxxx”,
“subscriptionId”:“xxxx”
},
“test_01”:{
“clientId”:“xxxxx”,
“clientSecret”:“xxxxxx”,
“tenantId”:“xxxxxxx”,
“subscriptionId”:“xxxx”
},
“dev_02”:{
“clientId”:“xxxxx”,
“clientSecret”:“xxxxxx”,
“tenantId”:“xxxxxxx”,
“subscriptionId”:“xxxx”
},
“test_02”:{
“clientId”:“xxxxx”,
“clientSecret”:“xxxxxx”,
“tenantId”:“xxxxxxx”,
“subscriptionId”:“xxxx”
},
“prd_01”:{
“clientId”:“xxxxx”,
“clientSecret”:“xxxxxx”,
“tenantId”:“xxxxxxx”,
“subscriptionId”:“xxxx”
}
}
}

output:
cat cred.json| jq -r ‘.subscription.dev_01’
{
“clientId”: “xxxxx”,
“clientSecret”: “xxxxxx”,
“tenantId”: “xxxxxxx”,
“subscriptionId”: “xxxx”
}

how can we load env specific Azure creds using azure login action ?

@chaitanya-bojja-by ,

You can try to set the 5 Azure credentials as 5 secrets, for example, DEV_01, DEV_02, TEST_01, TEST_02 and PRD_01. Then in the workflow, add a step before the Azure login action, to determine which Azure credential will be used according to the current environment.
A simple demo:

jobs:
  azure_login:
    . . .
    steps:
      - name: Get Azure credential
        id: get-cred
        run: |
          env_name="(environment name)"
          if [[ $env_name == dev_01 ]]; then
            echo "::set-output name=login_cred::${{ secrets.DEV_01 }}"
          elif [[ $env_name == dev_02 ]]; then
            echo "::set-output name=login_cred::${{ secrets.DEV_02 }}"
          elif [[ $env_name == test_01 ]]; then
            echo "::set-output name=login_cred::${{ secrets.TEST_01 }}"
          elif [[ $env_name == test_02 ]]; then
            echo "::set-output name=login_cred::${{ secrets.TEST_02 }}"
          elif [[ $env_name == prd_01 ]]; then
            echo "::set-output name=login_cred::${{ secrets.PRD_01 }}"
          else
            echo "::set-output name=login_cred::${{ secrets.other_creds }}"
          fi

      - name: Login to Azure
        uses: azure/login@v1.1
        with:
          creds: ${{ steps.get-cred.outputs.login_cred }}

above script is not working as login_cred value is not valid json format so I have to go and add creds conditional check for every env as follows

  • name: ‘LOGIN - Azure DEV-01 Subscription’
    uses: azure/login@v1.1
    with:
    creds: ${{ secrets.DEV_01_CREDENTIALS }}
    if: env.DEPLOY_ENV == ‘dev_01’

    • name: ‘LOGIN - Azure DEVTEST-01 Subscription’
      uses: azure/login@v1.1
      with:
      creds: ${{ secrets.DEV_01_CREDENTIALS }}
      if: env.DEPLOY_ENV == ‘devtest_01’

    • name: ‘LOGIN - Azure DEV-02 Subscription’
      uses: azure/login@v1.1
      with:
      creds: ${{ secrets.DEV_AZURE_CREDENTIALS }}
      if: env.DEPLOY_ENV == ‘dev_02’

    • name: ‘LOGIN - Azure TEST-01 Subscription’
      uses: azure/login@v1.1
      with:
      creds: ${{ secrets.TEST_01_CREDENTIALS }}
      if: env.DEPLOY_ENV == ‘test_01’

    • name: ‘LOGIN - Azure TEST-02 Subscription’
      uses: azure/login@v1.1
      with:
      creds: ${{ secrets.TEST_AZURE_CREDENTIALS }}
      if: env.DEPLOY_ENV == ‘test_02’

    • name: ‘LOGIN - Azure PRD-01 Subscription’
      uses: azure/login@v1.1
      with:
      creds: ${{ secrets.PROD_AZURE_CREDENTIALS }}
      if: env.DEPLOY_ENV == ‘prd_01’