Azure Synapse Analytics configuration, settings and deploy from Github.
In order to deploy from github actions, a resource group (RG) must already exist in the target Azure subscription. Create this with the Azure CLI.
az group create --name Mustard001 --location uksouth
To connect to Azure from github, we will use the OIDC method by creating an AAD (Entra) Application.
az ad app create --display-name MustardSynDeploy
From the JSON output, save the appId and id (object id).
application_appid=$(az ad app list --display-name MustardSynDeploy --query '[].appId' -o tsv)
application_objectid=$(az ad app list --display-name MustardSynDeploy --query '[].id' -o tsv)
Next, create a service principal for the application.
az ad sp create --id $application_appid
From the JSON output, save the object id.
assignee_objectid=$(az ad sp list --display-name MustardSynDeploy --query '[].id' -o tsv)
Before the assigning an RBAC permission, we need to also know the tenant and subscription id's of our application. These are not automtically present in any of the JSON outputs so far, so query for them from the AZ Account from which you are logged in.
az_tenantid=$(az account show --query tenantId -o tsv)
az_subid=$(az account show --query id -o tsv)
Then make the RBAC contributor role assignment to the identity of the Application, for the Resource Group.
az role assignment create --role contributor --subscription $az_subid --assignee-object-id $assignee_objectid --assignee-principal-type ServicePrincipal --scope subscriptions/$az_subid/resourceGroups/Mustard001/
Finally, create an identity credential (a token for github to authenticate with Microsoft). Using the MS beta graph API to create this was the only method by which a working credential could be configured.
Because the $application_objectid below, is in a string, substitute the actual id value into the command.
az rest --method POST --uri 'https://graph.microsoft.com/beta/applications/$application_objectid/federatedIdentityCredentials' --body '{"name":"SynDeployCred2","issuer":"https://token.actions.githubusercontent.com","subject":"repo:andyvroberts/mustard:ref:refs/heads/main","description":"Working Synapse Deploy Credential","audiences":["api://AzureADTokenExchange"]}'
We need deploy priviliges if we are making assignments to other Resource Groups
- KeyVault grants
- Storage role assignment grants
- Storage Account grants
Create the custom role definition deployrole.json file, substituting your subscription ID at the bottom:
{
"Name": "AVR Deployment Principal",
"IsCustom": true,
"Description": "Lets you deploy a resources without having contributor RBAC in another Resource Group.",
"Actions": [
"Microsoft.KeyVault/vaults/deploy/action",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/operationStatuses/read",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/"$az_subid
]
}
Then add the role to your subscription using the CLI:
az role definition create --role-definition deployrole.json
Finally, add the role assignment to the SP, substituting the subscription id and making sure that the resource group is the one which contains the resources being granted:
az role assignment create \
--role "AVR Deployment Principal" \
--scope /subscriptions/$az_subid/resourceGroups/NrgdxData \
--assignee-object-id $assignee_objectid \
--assignee-principal-type ServicePrincipal
To create an identity credential (a token for github to authenticate with Microsoft) using the CLI command:
Add the JSON configuration file for the credential in a file called github-deploy-creds.json
{
"name": "MustardDeployCred",
"issuer": "https://token.actions.githubusercontent.com/",
"subject": "repo:andyvroberts/mustard:ref:refs/heads/main",
"description": "Non-working Synapse Deploy Credential",
"audiences": [
"api://AzureADTokenExchange"
]
}
Note: If you want to connect the crediential to an Environment rather than a branch, then change this line:
"subject": "repo:andyvroberts/mustard:environment:Production",
Execute the CLI command that uses the configuration:
az ad app federated-credential create --id $application_objectid --parameters github-deploy-creds.json
Note: Even though using this method produces identical Azure Portal credential details for the app registration as the beta graph api, this method always results in github logon error "Error: AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://token.actions.githubusercontent.com'."
In the Azure Portal, you can view the Application from:
Microsoft Entra Id > App Registrations > the "all applications" tab.
In the Azure Portal, you can view the Service Principal from:
Microsoft Entra Id > Enterprise Applications > remove filter 'Enterprise Applications 'and search for the app name.
In the Azure Portal, you can view the role assignments from the resource the role is assigned to:
Resource Groups > Mustard001 > Access Control (IAM) > 'Role Assignments' tab
In the Azure Portal, you can view the github credential file from:
Microsoft Entra Id > App Registrations > the "all applications" tab > click on "MustardSynDeploy" > certificates & secrets > in the "federated credentials" tab, click on "MustardDeployCred"
In the Azure Portal, you can view custom role definitions from:
Subscription > Access Control (IAM) > "Roles" tab > search for 'Key Vault resource manager template deployment operator'
In your github repo secrets, save these new action secret values:
- AZURE_CLIENT_ID = $application_appid
- AZURE_TENANT_ID = $az_tenantid
- AZURE_SUBSCRIPTION_ID = $subid
- AZURE_RG = Mustard001