Azure/appservice-landing-zone-accelerator

Getting federated identity related error when creating ASE resources using the security baseline bicep pipeline

enrique-ochoa opened this issue · 1 comments

I followed all the instructions from https://github.com/cloned_repo/appservice-landing-zone-accelerator/tree/main/scenarios/secure-baseline-ase/bicep/README.md
but I am getting a federated identity related error when running the pipeline even when I picked the service principal based AZ authentication instead of the OpenId Connect which by the way does not have instructions in the document yet:
"Use Azure login action with OpenID Connect (coming soon)"

This is the stack trace:
....
Using OIDC authentication...
##[debug]ID token url is https://pipelines.actions.githubusercontent.com/FqbsBXc9KKJd9S5PK0czxKCwpMCGdac2JpSnZvoimy31MjIFyK/00000000-0000-0000-0000-000000000000/_apis/distributedtask/hubs/Actions/plans/d518d765-9e29-4885-a5e9-2318f18d6363/jobs/ef53817e-be1e-5b9f-8d47-e63fd9dfbe04/idtoken?api-version=2.0&audience=api%3A%2F%2FAzureADTokenExchange
::add-mask::***
Federated token details:
issuer - https://token.actions.githubusercontent.com
subject claim - repo:/appservice-landing-zone-accelerator:environment:production
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Error: : AADSTS70021: No matching federated identity record found for presented assertion. Assertion Issuer: 'https://token.actions.githubusercontent.com/'. Assertion Subject: 'repo:
/appservice-landing-zone-accelerator:environment:production'. Assertion Audience: 'api://AzureADTokenExchange'. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation
Trace ID: 65bd76de-04c3-4ce5-a0ed-a9d8479d4400
Correlation ID: 47b80d2d-3c7b-4e78-bcb6-c6deb9b88b59
Timestamp: 2023-05-22 18:16:08Z

Error: Interactive authentication is needed. Please run:
az login

Error: Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows
...

this is now addressed in #152