OIDC authentication to authenticate from packer to azure

Question

I have below HCL template for custom image generation in azure

required_plugins {
    azure = {
      version = ">= 1.0.0"
      source  = "github.com/hashicorp/azure"
    }
  }
}
source "azure-arm" "example" {
  managed_image_name                 = "MT-Image"
  managed_image_resource_group_name  = "cg"
  location                           = "eastus"
  # Using Azure CLI for authentication
  use_azure_cli_auth = true
  image_offer     = "visualstudio2022"
  image_publisher = "microsoftvisualstudio"
  image_sku       = "20_04-lts-gen2"
  os_type         = "Windows"
  vm_size         = "Standard_E2b_v5"
  os_disk_size_gb = 64
  shared_image_gallery_destination {
    resource_group       = "cg"
    gallery_name         = "gallery1"
    image_name           = "newimage"
    image_version        = "1.0.1"
    replication_regions  = ["eastus"]
    storage_account_type = "Standard_LRS"
  }
}
build {
  sources = [
    "source.azure-arm.example"
  ]
  provisioner "powershell" {
    inline = [
      "Remove-WindowsFeature Web-Server",
      "while ((Get-Service RdAgent).Status -ne 'Running') { Start-Sleep -s 5 }",
      "while ((Get-Service WindowsAzureGuestAgent).Status -ne 'Running') { Start-Sleep -s 5 }",
      "& $env:SystemRoot\\System32\\Sysprep\\Sysprep.exe /oobe /generalize /quiet /quit",
      "while($true) { $imageState = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\State | Select ImageState; if($imageState.ImageState -ne 'IMAGE_STATE_GENERALIZE_RESEAL_TO_OOBE') { Write-Output $imageState.ImageState; Start-Sleep -s 10  } else { break } }"
    ]
  }
}

My requirement is to use OIDC authentication, can you provide me what changes and steps I should modify to use OIDC authentication?

I came across below blog https://www.hashicorp.com/blog/version-2-packer-azure-plugin-now-available

Answer 1

I'm guessing you want to build an Azure VM image via Packer with Github Actions

First you need to configure OIDC:

• create Microsoft Entra application and service principal
• add federated credentials
• create GitHub secrets
• set up Azure Login with OpenID Connect authentication

In your HCL file:

• remove use_azure_cli_auth = true
• add the following inside source block (source "azure-arm" "example" {):

client_id                         = "${var.arm_client_id}"
client_jwt                        = "${var.arm_oidc_token}"
subscription_id                   = "${var.subscription_id}"

• add the following at the top level:

variable "arm_client_id" {
  type    = string
  default = "${env("ARM_CLIENT_ID")}"
}

variable "arm_oidc_token" {
  type    = string
  default = "${env("ARM_OIDC_TOKEN")}"
}
  
variable "subscription_id" {
  type    = string
  default = "${env("ARM_SUBSCRIPTION_ID")}"
}

Please see additional details and examples in the documentation:

• https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure
• https://www.hashicorp.com/blog/version-2-packer-azure-plugin-now-available
• https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-portal%2Cwindows