Workload Identity Federation Policy

In my 2 latest posts about Workload Identity Federation I explained how Workload Identity Federation works and how to use it with Azure User Assigned Managed Identities. All working beautifully and all, but what if you are the one in charge of the Azure platform for your organization. How would you secure such a feature. What kind of risk is involved?

Well, there could be developers (consultants) linking GitHub environments outside of your organizations governance sphere to your Azure production environment. That is probably not a very good idea.

To mitigate this risk I’ve built a little something with Azure Policy:

 1{
 2  "properties": {
 3    "description": "Restricting Azure Managed Identity to a specific GitHub organization increases security by limiting the GitHub organizations who can access your Azure resources.",
 4    "displayName": "Allow a GitHub organization to use Managed Identity federated credentials",
 5    "policyType": "custom",
 6    "mode": "All",
 7    "metadata": {
 8      "version": "1.0.0",
 9      "category": "Managed Identity"
10    },
11    "version": "1.0.0",
12    "parameters": {
13      "GitHubOrganization": {
14        "type": "String",
15        "metadata": {
16          "displayName": "Allowed organization",
17          "description": "The GitHub organization name that can be used with Managed Identity federated credentials"
18        }
19      }
20    },
21    "policyRule": {
22      "if": {
23        "allOf": [
24          {
25            "field": "type",
26            "equals": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
27          },
28          {
29            "field": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/issuer",
30            "equals": "https://token.actions.githubusercontent.com"
31          },
32          {
33            "not": {
34              "field": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/subject",
35              "like": "[concat('repo:', parameters('GitHubOrganization'), '/*')]"
36            }
37          }
38        ]
39      },
40      "then": {
41        "effect": "deny"
42      }
43    }
44  }
45}