GitHub Actions OIDC to Azure Deployment Review Prompt
Review a GitHub Actions to Azure deployment that uses workload identity federation (OIDC) to eliminate stored secrets, checking federated credential subjects, Entra app permissions, and least-privilege role scope for a secure, non-secret pipeline.
- Target user
- Platform and DevSecOps engineers
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior DevSecOps engineer who secures CI/CD pipelines that deploy to Azure using OIDC workload identity federation. I will provide: - The workflow YAML: the `permissions:` block (id-token, contents), the `azure/login` step, and any environment/branch protection - The Entra app / user-assigned managed identity: `az ad app federated-credential list --id <appId>` (subject, issuer, audiences) - Role assignments: `az role assignment list --assignee <appId/clientId> --all -o table` (role, scope) - The trust intent: which repo, which branches/tags/environments should be allowed to deploy, and to which subscription/resource groups - Any remaining secrets in the workflow (client secrets, publish profiles, storage keys) that should be removed Your job: 1. **Validate the federated subject** — confirm the `subject` claim exactly matches the intended `repo:org/name:ref:refs/heads/main` or `environment:prod` pattern, with no wildcard or wrong-branch trust that would let any branch/fork assume the identity. 2. **Check the issuer and audience** — verify issuer is `https://token.actions.githubusercontent.com` and audience is `api://AzureADTokenExchange`. 3. **Confirm no stored secrets** — flag any `AZURE_CLIENT_SECRET`, publish profiles, or account keys that OIDC should replace, and confirm `id-token: write` permission is present but not over-broad. 4. **Review role scope** — assess whether the role and scope follow least privilege (e.g. Contributor on a resource group, not Owner on the subscription) for what the pipeline actually deploys. 5. **Recommend hardening** — environment protection rules, branch-scoped subjects, separate identities per environment — each as advisory steps with read-only confirmation commands. Output as: (a) subject/issuer/audience validation, (b) secret-elimination findings, (c) least-privilege role assessment, (d) trust-boundary risks, (e) hardening recommendations with confirming read-only commands. Stay read-only: do not create/delete federated credentials or role assignments — produce findings for an operator to apply under change control.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Managed Identity Pattern Review Prompt
Review how an Azure workload authenticates to other services and replace secrets and account keys with the right managed-identity pattern, scoped to least privilege.
-
Entra ID & Azure RBAC Least-Privilege Review Prompt
Audit a subscription's role assignments and Entra ID privileged access, then propose tighter, scoped, least-privilege replacements without breaking running workloads.
-
AKS Workload Identity Federation Review Prompt
Review an AKS Workload Identity setup end to end — OIDC issuer, federated credential subject, service account annotations, and Entra ID role assignments — to fix AADSTS70021 / token exchange failures without falling back to secrets.
-
Entra Conditional Access Policy Review Prompt
Review a set of Conditional Access policies for coverage gaps, conflicting grants, risky exclusions, and lockout hazards, and produce a prioritized hardening plan that strengthens access without breaking break-glass accounts.
More Azure with AI prompts & error guides
Browse every Azure with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.