I started moving my personal applications out of Azure DevOps and into GitHub. As part of that, I needed to convert my DevOps Pipelines into GitHub Actions.

Figuring out how to get GitHub Actions to authenticate with Azure App Service and do deployment tasks was not completely straightforward, but after a ton of googling and experimenting, I figured out just enough to make it work. Read on to see the steps.

Create a Service Principal in Microsoft Entra ID

By Service Principal, they mean an App registration.

1. In Azure Portal, go to Microsoft Entra ID and click App registration
2. Click New registration
3. Type in a name for your app
4. Under Supported account types, choose who can use this application (e.g., Accounts in this organizational directory only (Default Directory only - Single tenant))
5. Under Select a platform, choose Web. It’s okay to leave the URL blank.
6. Click Register

This will take you to the App registration Overview screen. You’ll need two pieces of information from this screen:

• Application (client) ID
• Directory (tenant) ID

Save them for later when you’re creating credentials for GitHub Actions.

Next, you need to create a client secret:

• Click Certificates & secrets
• Click New client secret
• Choose an Expiration
• Click Add

You’ll need to copy the secret now, as it’s only visible immediately after you create it. This is the third part of the credentials.

Grant the App Service’s Contributor Role to your App registration

In Azure Portal, go to your App Service:

1. Choose App Services from the menu
2. Click on your App Service
3. Click Access control (IAM)
4. Click Add, then Add role assignment
5. Click Privileged administrator roles
6. Select Contributor
7. Click Next
8. Select Assign access to User, group, or service principal
9. Search for and select the service principal you created above
10. Click Next
11. Click Review & assign

2024-04-08 I started getting errors like the following when my Action tried to deploy to Azure App Service:

ERROR: (AuthorizationFailed) The client '{client-id}' with object id '{object-id}' does not have authorization to perform action 'Microsoft.Web/serverfarms/read' over scope '{my-scope}' or the scope is invalid. If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed

Adding the App registration’s service principal to the Reader roll for the App Service Plan resolved this issue.

Copy the Subscription ID

Still in Azure Portal, you’ll need to copy the ID of the Subscription where your App Service resides:

1. Choose Subscriptions from the menu
2. Click on the proper subscription
3. Copy the Subscription ID from the overview screen

Now you have the four pieces of information you need to create a secret in your GitHub Actions.

Create a secret in your GitHub repository

The Azure/login action requires credentials as a JSON string. Using the values you recorded in the steps above, fill in the values using this template:

1
2
3
4
5
6

{
    "clientId": "your_client_id",
    "clientSecret": "your_client_secret",
    "subscriptionId": "your_subscription_id",
    "tenantId": "your_tenant_id"
}

In your GitHub repository settings:

1. Expand Secrets and variables and click Actions
2. Create a new secret. I named mine AZURE_CREDENTIALS.
3. Paste in the JSON object from above

That should be all you need to use Azure/login so that you can perform App Service actions like zip deploy and slot swaps. In one of your steps, you would reference it like so:

1
2
3
4

      - name: Azure Login
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}

Recorded to save Future Jon much time and gnashing of teeth. 😬