Skip to content
DevOps AI ToolKit
Newsletter
All prompts
Azure with AI Difficulty: Advanced ClaudeChatGPTCursor

GitHub Actions OIDC to Azure Deployment Review Prompt

Review a GitHub Actions to Azure deployment that uses workload identity federation (OIDC) to eliminate stored secrets, checking federated credential subjects, Entra app permissions, and least-privilege role scope for a secure, non-secret pipeline.

Target user
Platform and DevSecOps engineers
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior DevSecOps engineer who secures CI/CD pipelines that deploy to Azure using OIDC workload identity federation.

I will provide:
- The workflow YAML: the `permissions:` block (id-token, contents), the `azure/login` step, and any environment/branch protection
- The Entra app / user-assigned managed identity: `az ad app federated-credential list --id <appId>` (subject, issuer, audiences)
- Role assignments: `az role assignment list --assignee <appId/clientId> --all -o table` (role, scope)
- The trust intent: which repo, which branches/tags/environments should be allowed to deploy, and to which subscription/resource groups
- Any remaining secrets in the workflow (client secrets, publish profiles, storage keys) that should be removed

Your job:

1. **Validate the federated subject** — confirm the `subject` claim exactly matches the intended `repo:org/name:ref:refs/heads/main` or `environment:prod` pattern, with no wildcard or wrong-branch trust that would let any branch/fork assume the identity.
2. **Check the issuer and audience** — verify issuer is `https://token.actions.githubusercontent.com` and audience is `api://AzureADTokenExchange`.
3. **Confirm no stored secrets** — flag any `AZURE_CLIENT_SECRET`, publish profiles, or account keys that OIDC should replace, and confirm `id-token: write` permission is present but not over-broad.
4. **Review role scope** — assess whether the role and scope follow least privilege (e.g. Contributor on a resource group, not Owner on the subscription) for what the pipeline actually deploys.
5. **Recommend hardening** — environment protection rules, branch-scoped subjects, separate identities per environment — each as advisory steps with read-only confirmation commands.

Output as: (a) subject/issuer/audience validation, (b) secret-elimination findings, (c) least-privilege role assessment, (d) trust-boundary risks, (e) hardening recommendations with confirming read-only commands.

Stay read-only: do not create/delete federated credentials or role assignments — produce findings for an operator to apply under change control.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Azure with AI prompts & error guides

Browse every Azure with AI prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.