Azure Setup
This guide walks you through setting up OIDC authentication between GitHub Actions and Azure. LeftSize uses federated credentials so no secrets are stored in your repository – GitHub Actions requests a short-lived token for each scan.
Prerequisites
- An Azure subscription with resources to scan
- Permission to create App Registrations in Azure AD
- A GitHub repository with LeftSize installed
Step 1: Create an App Registration
- Go to the Azure Portal > Azure Active Directory > App registrations
- Click New registration
- Set the name to
leftsize-scanner(or any name you prefer) - Leave Supported account types as the default (single tenant)
- Click Register
- Note the Application (client) ID and Directory (tenant) ID
Step 2: Add federated credentials
- In the App Registration, go to Certificates & secrets > Federated credentials
- Click Add credential
- Select GitHub Actions deploying Azure resources
- Configure:
- Organization: Your GitHub organization or username
- Repository: The repository where the LeftSize workflow runs
- Entity type: Branch
- Branch:
main - Name:
leftsize-scan
- Click Add
If you use multiple branches or environments, add additional federated credentials for each.
Step 3: Assign roles
The App Registration needs read-only access to your subscription. Assign these roles at the subscription level:
- Go to Subscriptions > select your subscription > Access control (IAM)
- Click Add role assignment
- Assign the following roles to the App Registration:
| Role | Purpose |
|---|---|
| Reader | Read resource metadata (types, sizes, configurations) |
| Monitoring Reader | Read metrics data (CPU utilization, disk I/O, connections) |
These are read-only roles. LeftSize never modifies your infrastructure.
Step 4: Add secrets to GitHub
In your GitHub repository, go to Settings > Secrets and variables > Actions and add:
| Secret | Value |
|---|---|
AZURE_CLIENT_ID_MAIN |
Application (client) ID from Step 1 |
AZURE_SUBSCRIPTION_ID_MAIN |
Your Azure Subscription ID |
AZURE_TENANT_ID |
Directory (tenant) ID from Step 1 |
LEFTSIZE_INSTALLATION_ID |
Provided during LeftSize onboarding |
LEFTSIZE_REPOSITORY_TOKEN |
Provided during LeftSize onboarding |
Scanning multiple subscriptions
LeftSize supports scanning multiple Azure subscriptions using a matrix strategy. Edit your workflow to add environments:
strategy:
fail-fast: false
matrix:
environment: [MAIN, PROD, DEV]
For each environment, create matching secrets:
AZURE_CLIENT_ID_PROD,AZURE_SUBSCRIPTION_ID_PRODAZURE_CLIENT_ID_DEV,AZURE_SUBSCRIPTION_ID_DEV
Each environment needs its own App Registration with federated credentials and Reader + Monitoring Reader roles on the target subscription.
Verifying the setup
- Go to your repository’s Actions tab
- Select LeftSize Cost Optimization Scan
- Click Run workflow
- Check the workflow logs for successful Azure authentication
If authentication fails, verify:
- The federated credential matches your repository name and branch exactly
- The App Registration has Reader and Monitoring Reader roles on the subscription
- The secret names match the environment name in the matrix (e.g.,
AZURE_CLIENT_ID_MAINforenvironment: MAIN)
Minimal permissions
LeftSize operates with read-only access. The scan:
- Reads resource metadata via Azure Resource Manager
- Reads metrics via Azure Monitor
- Never creates, modifies, or deletes any resources
- Never accesses data stored in your resources (no blob contents, no database queries)