Skip to main content

Example of using AD service principal to get access to a Radix application in a GitHub action

To create a GitHub Actions you need to create a workflow file in the folder .github/workflows.

Steps in the example:

  • "Az CLI login" - login to the Azure with a service principal - an app registration Application ID or user-assigned managed identity Client ID
  • "Get Azure principal token for Radix" - get an Azure access token for the resource 6dae42f8-4368-4678-94ff-3960e28e3630, which is a fixed Application ID, corresponding to the Azure Kubernetes Service AAD Server, globally provided by Azure. This token is put to the environment variable APP_SERVICE_ACCOUNT_TOKEN, available in following GitHub action job steps
  • "Update build secret" - example of use directly the Radix API (Radix Platform API or Radix Playground API), in this case to update a value of a build-secret. It is not recommended to use a Radix API directly, as its schema can be eventually changed
  • "Restart qa env" - example of use the Radix CLI, in this case to restart a Radix application components for an environment. The Radix CLI in this step expects an environment variable APP_SERVICE_ACCOUNT_TOKEN to be set
name: Manage Radix App

on:
push:
branches: [ "main" ]

permissions:
id-token: write
# contents: read # set required permissions (https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs)

jobs:
set-build-secret-and-restart:
runs-on: ubuntu-latest
steps:
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: 5e5e5e5e-abcd-efgh-ijkl-f6f6f6f6f6f6 #app registration Application ID or user-assigned managed identity Client ID
tenant-id: 3aa4a235-b6e2-48d5-9195-7fcf05b459b0
allow-no-subscriptions: true
- name: 'Get Azure principal token for Radix'
run: |
token=$(az account get-access-token --resource 6dae42f8-4368-4678-94ff-3960e28e3630 --query=accessToken -otsv)
echo "::add-mask::$token"
echo "APP_SERVICE_ACCOUNT_TOKEN=$token" >> $GITHUB_ENV
- name: Update build secret
run: |
curl https://api.playground.radix.equinor.com/api/v1/applications/your-radix-app-name/buildsecrets/A_BUILD_SECRET \
-X PUT \
-d '{"secretValue":"new value"}' \
-H 'Authorization: Bearer ${{ env.APP_SERVICE_ACCOUNT_TOKEN }}'
- name: Restart qa env
uses: equinor/radix-github-actions@v1
with:
args: >
restart
environment
--application your-radix-app-name
--environment qa
--context playground