Federated credentials does not work on main branch, but works on all other branches #573
Description
Hi,
I am trying to run a GitHub Workflow that logs in to Azure using federated credentials. I have set up a User-Managed Identity with the Contributor role in the resource group. The workflow works perfectly fine when triggering it on the branch bugfix/77-fix-bug-where-workflow-is-skipping-on-schedule, but fails on main with the following error message:
Run azure/login@v2
with:
client-id: bcd1a9a1-fe12-4321-8474-ad0a420a19c8
tenant-id: 2a585d57-a5a8-4688-a60c-9796389eae7a
subscription-id: bb7555b6-56fa-4fa6-bff9-f1fe38507c01
enable-AzPSSession: false
environment: azurecloud
allow-no-subscriptions: false
audience: api://AzureADTokenExchange
auth-type: SERVICE_PRINCIPAL
Running Azure CLI Login.
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Federated token details:
issuer - https://token.actions.githubusercontent.com
subject claim - repo:kartAI/doppa-data:ref:refs/heads/main
audience - api://AzureADTokenExchange
job_workflow_ref - kartAI/doppa-data/.github/workflows/run-benchmarks.yml@refs/heads/main
Attempting Azure CLI login by using OIDC...
Error: AADSTS7002138: No matching federated identity record found for presented assertion subject 'repo:kartAI/doppa-data:ref:refs/heads/main'. The subject matches with case-insensitive comparison, but not with case-sensitive comparison. Check your federated identity credential Subject, Audience and Issuer against the presented assertion. See documentation at: https://learn.microsoft.com/entra/workload-id/workload-identity-federation. See breaking change notification and remediation at: https://learn.microsoft.com/en-us/entra/identity-platform/reference-breaking-changes#august-2024. Trace ID: ff7074a3-ce1a-45bb-aa72-a0e747510600 Correlation ID: b1723842-0436-499d-9055-83e4433218a9 Timestamp: 2026-02-25 09:29:51Z
Error: Run the command below to authenticate interactively; additional arguments may be added as needed:
az logout
az login
Error: Login failed with Error: The process '/usr/bin/az' failed with exit code 1. Double check if the 'auth-type' is correct. Refer to https://github.com/Azure/login#readme for more information.The federated credentials for the two branches have been configured like this:
| Main branch | Bugfix branch |
|---|---|
 |
 |
The tenant ID, client ID, and subscription ID are provided below and is as far as I can see, correct:
| Field | Value |
|---|---|
| Tenant ID | 2a585d57-a5a8-4688-a60c-9796389eae7a |
| Subscription ID | bb7555b6-56fa-4fa6-bff9-f1fe38507c01 |
| Client ID | bcd1a9a1-fe12-4321-8474-ad0a420a19c8 |
When running az identity federated-credential list --identity-name doppa-github-ci --resource-group doppa -o jsonc the following is printed:
[
{
"audiences": [
"api://AzureADTokenExchange"
],
"id": "/subscriptions/bb7555b6-56fa-4fa6-bff9-f1fe38507c01/resourcegroups/doppa/providers/Microsoft.ManagedIdentity/userAssignedIdentities/doppa-github-ci/federatedIdentityCredentials/github-actions-main",
"issuer": "https://token.actions.githubusercontent.com",
"name": "github-actions-main",
"resourceGroup": "doppa",
"subject": "repo:kartAI/doppa-data:ref:refs/heads/main",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
},
{
"audiences": [
"api://AzureADTokenExchange"
],
"id": "/subscriptions/bb7555b6-56fa-4fa6-bff9-f1fe38507c01/resourcegroups/doppa/providers/Microsoft.ManagedIdentity/userAssignedIdentities/doppa-github-ci/federatedIdentityCredentials/github-actions-pr",
"issuer": "https://token.actions.githubusercontent.com",
"name": "github-actions-pr",
"resourceGroup": "doppa",
"subject": "repo:kartAI/doppa-data:pull_request",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}
]The workflow that fails is provided below:
name: Run Benchmarks
on:
workflow_run:
workflows: [ "Build and Push to Azure Container Registry" ]
types: [ completed ]
schedule:
- cron: "0 */3 * * *"
workflow_dispatch:
permissions:
id-token: write
contents: read
jobs:
run-benchmarks:
name: Run Benchmarks via Orchestrator
runs-on: ubuntu-latest
if: >
github.event_name == 'schedule'
|| github.event_name == 'workflow_dispatch'
|| (github.event_name == 'workflow_run'
&& github.event.workflow_run.conclusion == 'success')
steps:
- name: Azure Login
uses: azure/login@v2
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
- name: Log in to ACR
uses: azure/docker-login@v2
with:
login-server: ${{ secrets.ACR_NAME }}.azurecr.io
username: ${{ secrets.ACR_USERNAME }}
password: ${{ secrets.ACR_PASSWORD }}
- name: Pull Orchestrator from ACR
run: docker pull ${{ secrets.ACR_NAME }}.azurecr.io/container-orchestrator:latest
- name: Run Orchestrator Container
env:
ACR_LOGIN_SERVER: ${{ vars.ACR_LOGIN_SERVER }}
ACR_USERNAME: ${{ secrets.ACR_USERNAME }}
ACR_PASSWORD: ${{ secrets.ACR_PASSWORD }}
AZURE_BLOB_STORAGE_CONNECTION_STRING: ${{ secrets.AZURE_BLOB_STORAGE_CONNECTION_STRING }}
run: >
docker run --rm
-v "$HOME/.azure:/root/.azure"
-e ACR_LOGIN_SERVER
-e ACR_USERNAME
-e ACR_PASSWORD
-e AZURE_BLOB_STORAGE_CONNECTION_STRING
${{ secrets.ACR_NAME }}.azurecr.io/container-orchestrator:latestThe error says No matching federated identity record found for presented assertion subject 'repo:kartAI/doppa-data:ref:refs/heads/main'. The subject matches with case-insensitive comparison, but not with case-sensitive comparison. But the subject idenfier for the federated credential is repo:kartAI/doppa-data:ref:refs/heads/main. What am I missing here? Any help would be greatly appreciated :)
Metadata
Metadata
Assignees
Labels
No labels