Automate Power Platform Environment Creation & Solution Imports with GitHub Actions (Federated Auth Setup)
Automating your CI/CD pipeline for Power Platform solutions streamlines development and reduces manual tasks. Integrating GitHub Actions with federated authentication provides secure and scalable access for creating environments, importing solutions, and even cleaning up temporary environments. This post guides you through automating these tasks with a federated authentication setup.
Introduction
This guide details how to automate Power Platform environment creation and solution import using GitHub Actions with federated authentication. Federated authentication removes the need for direct application credentials by leveraging single sign-on (SSO) capabilities with identity providers. This approach ensures that deployments are secure, compliant, and less reliant on sensitive credentials.
Prerequisites
Ensure you have the following:
- Power Platform Environment: Admin access is required to manage environments.
- Federated Authentication Setup: Configure a federated identity provider, like Azure Active Directory (AAD), with necessary permissions to access Power Platform resources.
- GitHub Repository: This is where workflows and solutions are stored.
- Power Platform CLI: Install and make available the Power Platform CLI in your GitHub environment.
Setting Up Federated Authentication with GitHub Actions
Using federated authentication in GitHub Actions involves configuring an OpenID Connect (OIDC) trust relationship between GitHub and your identity provider (e.g., Azure AD). This setup ensures secure, token-based authentication without storing client secrets.
Configuring OIDC in Azure AD
-
Create an App Registration in Azure AD:
- Go to Azure AD > App Registrations > New Registration.
- Set redirect URI to GitHub Actions:
https://github.com/<organization>/<repository>
.
-
Enable Federated Credentials for the app registration:
- Under Certificates & Secrets, select Federated Credentials > Add Credential.
- Choose GitHub as the identity provider and set the repository access.
- Define permissions to allow GitHub Actions access to Power Platform resources.
-
Assign Required API Permissions:
- Add necessary Power Platform permissions (e.g.,
Environment.Create
,Solution.Import
) to the app registration in Azure AD.
- Add necessary Power Platform permissions (e.g.,
GitHub Secrets
To enable federated authentication, you will only need:
- AZURE_CLIENT_ID: Client ID of your Azure AD app.
- AZURE_TENANT_ID: Azure tenant ID.
No client secrets are needed because authentication is handled by OIDC and federated credentials.
GitHub Actions Workflow
The following GitHub Actions workflow automates environment creation and solution import with federated authentication:
name: Power Platform CI/CD with Federated Auth
on:
push:
branches:
- main
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Set Environment Name
run: echo "ENV_NAME=${{ github.ref_name }}-${{ github.run_id }}" >> $GITHUB_ENV
- name: Authenticate with Azure via Federated Auth
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
federated-credentials: true
- name: Create Power Platform Environment
run: pac environment create --name $ENV_NAME --region unitedstates --type Production
- name: Import Solution to Power Platform
run: pac solution import --path ./solution.zip --environment $ENV_NAME
- name: Cleanup Power Platform Environment on Failure
if: failure()
run: pac environment delete --name $ENV_NAME
Workflow Breakdown
- Authenticate with Azure via Federated Auth: GitHub authenticates with Azure AD using federated OIDC credentials, making authentication secure and secret-free.
- Create Power Platform Environment: A unique environment name is generated to avoid conflicts in parallel runs.
- Import Solution: The solution in your repository is imported to the new environment.
- Cleanup on Failure: Deletes the environment if import fails, ensuring a clean tenant.
Verifying the Workflow
To test:
- Commit and Push: Push the workflow file to your repository.
- Check GitHub Actions: Monitor the “Actions” tab for the workflow run.
- Verify in Power Platform Admin Center: Ensure an environment is created, and check for cleanup if there was an import failure.
Conclusion
Implementing federated authentication with GitHub Actions for Power Platform enhances security by avoiding client secrets and using OIDC. This setup automates CI/CD tasks efficiently and keeps your Power Platform tenant clean.
Thanks for the quick turnaround on the auth change – Secretless FTW!