jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 18:10:59 -05:00
Code Issues Projects Releases Wiki Activity
Files
891e81b8245350f4070654b69d9a2adff0605453
docs/content/admin/github-actions/enabling-github-actions-for-github-enterprise-server/enabling-github-actions-with-azure-blob-storage.md
Matt Pollard 891e81b824 [DO NOT MERGE] GitHub Enterprise Server 3.8 release candidate (#34113) 
Co-authored-by: Rachael Sewell <rachmari@github.com>
Co-authored-by: Felicity Chapman <felicitymay@github.com>
Co-authored-by: Sarah Edwards <skedwards88@github.com>
Co-authored-by: David Jarzebowski <davidjarzebowski@github.com>
Co-authored-by: Steve Guntrip <stevecat@github.com>
Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com>
Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>
Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com>
Co-authored-by: docubot <67483024+docubot@users.noreply.github.com>
2023-02-07 17:49:44 +00:00

7.6 KiB
Raw Blame History

title, intro, permissions, versions, type, topics, redirect_from, shortTitle, miniTocMaxHeadingLevel
title intro permissions versions type topics redirect_from shortTitle miniTocMaxHeadingLevel
Enabling GitHub Actions with Azure Blob storage You can enable {% data variables.product.prodname_actions %} on {% data variables.product.prodname_ghe_server %} and use Azure Blob storage to store data generated by workflow runs. Site administrators can enable {% data variables.product.prodname_actions %} and configure enterprise settings.
ghes
*
how_to
Actions
Enterprise
Infrastructure
Storage
/admin/github-actions/enabling-github-actions-with-azure-blob-storage
Azure Blob storage 3

{% data reusables.actions.enterprise-storage-about %}

{% ifversion ghes-actions-storage-oidc %} {% data reusables.actions.enterprise-storage-about-oidc %}

{% data reusables.actions.ghes-storage-oidc-beta-note %} {% endif %}

Prerequisites

Before enabling {% data variables.product.prodname_actions %}, make sure you have completed the following steps:

  • Create your Azure storage account for storing workflow data. {% data variables.product.prodname_actions %} stores its data as block blobs, and two storage account types are supported:

    • A general-purpose storage account (also known as general-purpose v1 or general-purpose v2) using the standard performance tier.

      {% warning %}

      Warning: Using the premium performance tier with a general-purpose storage account is not supported. The standard performance tier must be selected when creating the storage account, and it cannot be changed later.

      {% endwarning %}

    • A BlockBlobStorage storage account, which uses the premium performance tier.

    For more information on Azure storage account types and performance tiers, see the Azure documentation. {% data reusables.actions.enterprise-common-prereqs %} {% data reusables.actions.enterprise-oidc-prereqs %}

{% ifversion ghes-actions-storage-oidc %}

Enabling {% data variables.product.prodname_actions %} with Azure Blob storage using OIDC (recommended)

{% data reusables.actions.ghes-storage-oidc-beta-note %}

To configure {% data variables.product.prodname_ghe_server %} to use OIDC with an Azure storage account, you must first register an Azure Active Directory application with OIDC credentials, then configure your storage account, and finally configure {% data variables.product.prodname_ghe_server %} to access the storage container using the Azure Active Directory application.

1. Register an Azure Active Directory application

  1. Log in to the Azure portal.

  2. Register a new application in Azure Active Directory. For more information, see Register an application in the Azure documentation.

  3. In your Azure application, under "Essentials", take note of the values for "Application (client) ID" and "Directory (tenant) ID". These values are used later.

    Azure portal showing the Active Directory app "Essentials" section

  4. In your Azure application, under "Manage", click Certificates & secrets, select the Federated credentials tab, then click Add credential.

    Azure portal showing the Active Directory app "certificates & secrets" page

  5. Enter the following details for the credential:

    1. For "Federated credential scenario", select Other issuer.

    2. For "Issuer", enter https://HOSTNAME/_services/token, where HOSTNAME is the public hostname for {% data variables.location.product_location_enterprise %}. For example, https://my-ghes-host.example.com/_services/token.

    3. For "Subject identifier", enter the public hostname for {% data variables.location.product_location_enterprise %}. For example, my-ghes-host.example.com.

      {% note %}

      Note: The subject identifier must only have the hostname of {% data variables.location.product_location_enterprise %}, and must not include the protocol.

      {% endnote %}

    4. For "Name", enter a name for the credential.

    5. Click Add.

2. Configure your storage account

  1. In the Azure portal, navigate to your storage account.

  2. Click Access Control (IAM), then click Add, and select Add role assignment.

  3. For the role, select "Storage Blob Data Owner", then click Next.

  4. For members, click Select members, and then search for and select the name of the Azure application you created earlier. Click Select.

  5. Click Review + assign, review the role assignment, then click Review + assign again.

  6. In the left menu, under "Settings", click Endpoints.

  7. Under "Blob service", take note of the value for "Blob service", specifically the blob endpoint suffix. This is the value after https://<storageaccountname>.blob. It is typically core.windows.net, but might vary depending on your Azure region or account type.

    For example, if your blob service URL is https://my-storage-account.blob.core.windows.net, the blob endpoint suffix is core.windows.net.

    Note your storage account name and blob endpoint suffix, as these values are used later.

3. Configuring {% data variables.product.prodname_ghe_server %} to connect to Azure using OIDC

{% data reusables.enterprise_site_admin_settings.access-settings %} {% data reusables.enterprise_site_admin_settings.management-console %} {% data reusables.enterprise_management_console.actions %} {% data reusables.actions.enterprise-enable-checkbox %} {% data reusables.actions.enterprise-azure-storage-setup %}

  1. Under "Authentication", select OpenID Connect (OIDC), and enter the values for your storage that you noted down in the previous procedures:
    • Azure tenant ID
    • Azure client ID
    • Azure storage account name
    • Azure blob endpoint suffix {% data reusables.enterprise_management_console.test-storage-button %} {% data reusables.enterprise_management_console.save-settings %}

{% endif %}

Enabling {% data variables.product.prodname_actions %} with Azure Blob storage{% ifversion ghes-actions-storage-oidc %} using a connection string{% endif %}

{% data reusables.enterprise_site_admin_settings.access-settings %} {% data reusables.enterprise_site_admin_settings.management-console %} {% data reusables.enterprise_management_console.actions %} {% data reusables.actions.enterprise-enable-checkbox %} {%- ifversion ghes-actions-storage-oidc %} {% data reusables.actions.enterprise-azure-storage-setup %}

  1. Under "Authentication", select Credentials-based, and enter your Azure storage account's connection string. For more information on getting the connection string for your storage account, see the Azure documentation. {%- else %}

  2. Under "Artifact & Log Storage", select Azure Blob Storage, and enter your Azure storage account's connection string. For more information on getting the connection string for your storage account, see the Azure documentation.

    Radio button for selecting Azure Blob Storage and the Connection string field {%- endif %} {% data reusables.enterprise_management_console.test-storage-button %} {% data reusables.enterprise_management_console.save-settings %}

{% data reusables.actions.enterprise-postinstall-nextsteps %}

Reference in New Issue View Git Blame Copy Permalink