Skip to content

Commit 42cba2a

Browse files
authored
Merge pull request #27 from Azure/copilot/review-identity-setup-implementation
docs: clarify OIDC vs client-secret auth paths and fix misleading security note
2 parents 03d75e1 + 577b697 commit 42cba2a

2 files changed

Lines changed: 16 additions & 7 deletions

File tree

README.md

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -17,12 +17,21 @@ npm install -g apiops
1717

1818
## Authentication
1919

20-
`apiops` uses [`@azure/identity`](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity) `DefaultAzureCredential` for authentication:
20+
`apiops` uses [`@azure/identity`](https://github.com/Azure/azure-sdk-for-js/tree/main/sdk/identity/identity) `DefaultAzureCredential` for authentication.
2121

22-
- To use environment variables, set the following variables: `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, and `AZURE_SUBSCRIPTION_ID`
23-
- To specify authentication in command, use the following flags: `--client-id`, `--client-secret`, `--tenant-id`, and `--subscription-id`
24-
- **CI/CD:** A service principal with the **API Management Service Contributor** role is recommended.
25-
- **Azure-hosted environments:** Managed Identity and Workload Identity are also supported.
22+
### Generated GitHub Actions workflows (`apiops init`)
23+
24+
Workflows scaffolded by `apiops init` authenticate via **OIDC (workload identity federation)** — no client secret is stored or needed. Run `apiops init` and use the generated `identity-setup.prompt.md` to create an Azure AD application with federated credentials for your GitHub repository.
25+
26+
Required repository secrets: `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`
27+
28+
### Local CLI / other CI systems
29+
30+
When running `apiops` outside a GitHub Actions OIDC context you can supply credentials explicitly:
31+
32+
- **Environment variables:** `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`
33+
- **CLI flags:** `--client-id`, `--client-secret`, `--tenant-id`, `--subscription-id`
34+
- **Managed Identity / Workload Identity:** Supported automatically via `DefaultAzureCredential` when running on Azure-hosted infrastructure (VMs, App Service, etc.) or in Azure Pipelines with workload identity federation configured.
2635

2736
## Commands
2837

src/services/identity-guide-service.ts

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -128,8 +128,8 @@ Test the authentication by running a workflow manually or pushing to main branch
128128
129129
## Security Notes
130130
- Use GitHub Environments for production deployments with required reviewers
131-
- Rotate service principal credentials periodically
132-
- Review federated credential subjects regularly
131+
- Review federated credential subjects periodically (no secrets to rotate — OIDC authentication has no stored credentials)
132+
- Review RBAC role assignments regularly and remove any no longer needed
133133
- Use least-privilege RBAC assignments
134134
`;
135135
}

0 commit comments

Comments
 (0)