[BUG] - Azure integration tests fail every time they're run manually from a branch other than main

[marcelovilla]

Describe the bug

We have integration tests for each supported cloud provider, including Azure, that are run on a schedule every week off of main but that can also be triggered manually from any given branch.

The tests running on a schedule are working fine. For example, see:

• https://github.com/nebari-dev/nebari/actions/runs/12625037373
• https://github.com/nebari-dev/nebari/actions/runs/12540616174
• https://github.com/nebari-dev/nebari/actions/runs/12227494570

However, when run manually from another branch, they seem to fail with the following error when trying to authenticate:

Run azure/login@v2
Running Azure CLI Login.
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Federated token details:
 issuer - https://token.actions.githubusercontent.com/
 subject claim - repo:nebari-dev/nebari:ref:refs/heads/azure-policy-addon
Attempting Azure CLI login by using OIDC...
Error: AADSTS700213: No matching federated identity record found for presented assertion subject 'repo:nebari-dev/nebari:ref:refs/heads/azure-policy-addon'. Check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation Trace ID: 873ea219-d631-4da8-8b09-6002514c7601 Correlation ID: 81b094c4-9c99-4a16-8d30-5743ae8143f2 Timestamp: 2024-12-26 16:54:59Z

Error: Interactive authentication is needed. Please run:
az login

Error: Login failed with Error: The process '/usr/bin/az' failed with exit code 1. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.

See, for example:

• https://github.com/nebari-dev/nebari/actions/runs/12631780881
• https://github.com/nebari-dev/nebari/actions/runs/12506292291
• https://github.com/nebari-dev/nebari/actions/runs/11742219838

All of these were run from different branches than main and do not have any evident changes related to Azure authentication

Expected behavior

Tests should succeed, at least during the Azure login step.

OS and architecture in which you are running Nebari

GHA

How to Reproduce the problem?

Run the Azure deployment GHA workflow manually from a branch other than main.

Command output

No response

Versions and dependencies used.

No response

Compute environment

None

Integrations

No response

Anything else?

No response

[dcmcand]

With Azure, you need to set a scope for your oidc integration. You cannot just give perms to a repo. The options are to specify:

• Branch
• Environment
• Tag
• Pull request

wild cards or patterns are not allowed. Currently it is set to Branch: main.

To be able to run this action from any branch, we could:

1. add an environment to the action and allow it for that environment
2. Ditch the azure login action and instead generate a high privileged service principle and pass those creds in.

I favor option 1, but I am interested in what you think @marcelovilla and @viniciusdc

Documentation reference:
https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp#entity-type-examples

[viniciusdc]

Nice catch @dcmcand !

add an environment to the action and allow it for that environment

I also favor this option; I would like to reduce our dependency on high-privilege credentials as much as possible.

[marcelovilla]

It's unfortunate they don't support the use of wildcards to target several branches. I would also favor the first alternative, as that involves minimal changes in the workflow itself.

[nickludwig]

@marcelovilla: Just a bystander but, as of December, we do support wildcards for matching against multiple branches. Our docs are here: Flexible FIC

[marcelovilla]

Hey @nickludwig , thanks for the heads up! @dcmcand given there seems to be wildcard support now, I suggest we try that option.