azure/login@v2 github action with federated identity (ADB2C)
My github workflow has the following step:
- name: Az CLI login for connecting to ADB2C instance
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
audience: api://AzureADTokenExchange
allow-no-subscriptions: true
enable-AzPSSession: true
I get the error:
AADSTS700213: No matching federated identity record found for presented assertion subject 'repo:{orgname}/{repo}:environment:staging'.
But in my app registration that has the client id and tenant id used above, the federated credential is configured to use a branch entity type and the branch "staging" is specified. The Subject identifier is "repo:{orgname}/{repo}:ref:refs/heads/staging"
I can't figure out why this step is insisting that this should be an environment entity rather than a branch entity. It's obviously obtaining the info from the app registration because it knows the configured organization and repo, and even the environment (which has the same name as the branch).
What's the trick to make this work?