Skip to main content
This guide is to help you connect to Azure with OIDC, instead of using a Service Principal.

โ€‹
Overview

This guide will show you how to create an Azure AD App, configure a Federated Credential, and configure env zero to utilize OIDC. The federated credential within the Azure AD app will be configured to accept env zeroโ€™s OIDC token. Refer to OIDC Integrations for more background on env zeroโ€™s OIDC configuration.

โ€‹
Azure AD App + Federated Credential

The Azure AD App will be configured with a Federated Credential in order to accept env zero OIDC token. Using the Azure Portal:
  1. Microsoft Entra ID > App registrations > โ€+ New Registrationโ€
    1. Enter Name: e.g. โ€œenv zero OIDC appโ€
    2. Select Supported account types if youโ€™re unsure, choose โ€œSingle tenantโ€
    3. Skip Redirect URI
    4. Register the app.
  2. Under the โ€œenv zero OIDC appโ€ > โ€œCertificates and Secretsโ€ > โ€œFederated credentialsโ€
    1. โ€œ+ Add credentialโ€
    2. Federated Credential Scenario - Other issuer
    3. Issuer - https://login.app.env0.com/
    4. Subject Identifier - auth0|xxxxxx (see the section below on โ€œRetrieving your Subject Identifierโ€)
    5. Name - enter a name (e.g. โ€œenv0 OIDCโ€)
    6. Audience - https://prod.env0.com
  3. For using the Azure Provider in Terraform, we need to specify the following variables:
    1. ARM_TENANT_ID - you can find the value in your app registration summary (โ€œenv zero OIDC appโ€) under โ€œDirectory (tenant) IDโ€
    2. ARM_CLIENT_ID - you can find the value in your app registration summary (โ€œenv zero OIDC appโ€) under โ€œApplication (client) IDโ€
    3. ARM_SUBSCRIPTION_ID - You can retrieve the Subscription ID from the Azure Subscription, or in a Resource Group that you want to use.

โ€‹
Azure App AD App Permissions

In order for Terraform to be able to deploy and manage the resources, we need to associate your Azure AD App with your Subscription or Resource Group
  1. In this example, I will give the โ€œenv zero OIDC appโ€ the โ€œContributorโ€ role in my โ€œsales-acme-demoโ€ resource group. This means that env zero will only be able to create and manage resources within this resource group.
  2. Go to the Resource Group (โ€sales-acme-demoโ€) > Access Control (IAM)
  3. Click on โ€œ+ Addโ€ > โ€œAdd role assignmentโ€\
  4. Select a role (the level of privilege to give to Terraform) - in this case, we choose โ€œContributorโ€ and hit โ€œNextโ€
  5. Assign access to โ€œUser, group, or service principalโ€
  6. Select a member by โ€œ+ Select Membersโ€
  7. Search for โ€œenv zero OIDC appโ€ and hit โ€œSelectโ€
  8. Hit โ€œReview + assignโ€\

โ€‹
Configure env0 OIDC Credential

Go to the organizationโ€™s credentials page and create a new deployment credential. Select Azure OIDC type and enter the following fields:
  • Subscription ID - Azure subscription id
  • Tenant ID - Azure tenant id
  • Client ID - Azure client id
Interface screenshot showing configuration options
Azure Provider VersionMake sure you use a version of the Azure provider greater than 3.7.0.
OIDC did not work for โ€œ=3.7.0โ€

โ€‹
Assign your Credential in your Project

After creating your Organization Credential - donโ€™t forget to go into your Project Settings to use the OIDC credential you just created.

โ€‹
Deploying to multiple Azure Subscriptions

Sometimes you want to be able to deploy to multiple Azure Subscriptions in one Terraform workspace. In Terraform / OpenTofu, you can specify multiple azure provider blocks in order to target mutliple subscriptions, see example below:
Terraform / OpenTofu (hcl)
provider "azurerm" {
  features {}
  use_oidc = true
  //subscription_id = "b48787a1-7145-425f-99af-62cde6c50e31" (optional)
  //env zero will use the subscription ID in defined in the Azure OIDC project credential configuration
}

provider "azurerm" {
  alias = "test"
  features {}
  use_oidc = true
  subscription_id = var.second_subscription
}

variable "second_subscription" {
  type = string
  default = "3ef32f99-33d5-4a4f-bf9c-8a3ebb2b0144"
}

resource "azurerm_resource_group" "example" {
  name     = "env0-example-rg"
  location =  "eastus2"
}

resource "azurerm_resource_group" "second" {
  provider = azurerm.test
  name     = "env0-example-second-rg"
  location =  "eastus2"
}
By simply, ensuring that the same App Registration created earlier (โ€œenv zero OIDC Appโ€) has permissions in the both subscriptions; you can utilize one set of credentials to target multiple subscriptions.
โŒ˜I