Federated credential subject claim in workflow does not match subject found on user-assigned managed identity

Question

Federated credential subject claim in workflow does not match subject found on user-assigned managed identity

yoonaoh opened this issue 8 months ago · comments

Hi! I'm running a workflow file, and I keep running into this error:

Error: AADSTS700213: No matching federated identity record found for presented assertion subject 'repo:yoonaoh/github-action-testfunctionapp-java:ref:refs/heads/master'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion

When I check the Subject identifier on my managed identity's federated credential, however, I have it set to this repo:yoonaoh/github-action-testfunctionapp-java:environment:test-slot.

Not sure where this discrepancy is coming from, or how the action is finding the subject.

Yan Xu · Answer 1 · Fri Dec 01 2023 17:20:12 GMT+0800 (China Standard Time)

Hi @yoonaoh , could you provide the screenshot of your managed identity's federated credential? It's configurable.
repo:yoonaoh/github-action-testfunctionapp-java:ref:refs/heads/master in your workflow run log is generated by GitHub.
They should match or the action will not work.

Yan Xu · Answer 2 · Tue Dec 05 2023 09:38:19 GMT+0800 (China Standard Time)

Hi @yoonaoh , in your screenshot, you configure the entity type as environment. But in your workflow file, you didn't use environment. That's why GitHub generate branch token for you. You have to update your workflow file and use "environment". You can refer to an example here.