Skip to content
Latchkey

azure/login

Log in to Azure in a workflow, using OIDC federated credentials or a service principal.

Official actionCategory: Cloud Auth & DeployLatest v2View on GitHub

What it does

azure/login authenticates the Azure CLI so subsequent steps can manage resources or deploy apps.

The recommended mode uses OIDC federated credentials, so no client secret is stored in GitHub.

Usage

workflow (.yml)
permissions:
  id-token: write
  contents: read
steps:
  - uses: azure/login@v2
    with:
      client-id: ${{ secrets.AZURE_CLIENT_ID }}
      tenant-id: ${{ secrets.AZURE_TENANT_ID }}
      subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

Inputs

InputDescriptionDefaultRequired
client-idApp registration client ID.-No
tenant-idAzure tenant ID.-No
subscription-idSubscription to target.-No
credsService principal JSON (avoid; prefer OIDC).-No

Notes

OIDC login needs permissions: id-token: write and a federated credential on the app registration that trusts your repo.

Common errors

  • AADSTS700016 or AADSTS70021 errors usually mean the federated credential subject does not match the workflow (branch, environment, or tag).
  • A missing id-token: write permission breaks OIDC login.

Security and pinning

  • Use OIDC federated credentials rather than a creds service-principal secret.

Alternatives and related

Frequently asked questions

How do I log in to Azure without a client secret?
Add a federated credential to your app registration for the repo, then use client-id/tenant-id/subscription-id with permissions: id-token: write.
Running azure/login? Run it on Latchkey managed runners - self-healing and caching included. Start free → 30-day trial · No credit card