azure/login
Log in to Azure in a workflow, using OIDC federated credentials or a service principal.
What it does
azure/login authenticates the Azure CLI so subsequent steps can manage resources or deploy apps.
The recommended mode uses OIDC federated credentials, so no client secret is stored in GitHub.
Usage
workflow (.yml)
permissions:
id-token: write
contents: read
steps:
- uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}Inputs
| Input | Description | Default | Required |
|---|---|---|---|
client-id | App registration client ID. | - | No |
tenant-id | Azure tenant ID. | - | No |
subscription-id | Subscription to target. | - | No |
creds | Service principal JSON (avoid; prefer OIDC). | - | No |
Notes
OIDC login needs permissions: id-token: write and a federated credential on the app registration that trusts your repo.
Common errors
AADSTS700016orAADSTS70021errors usually mean the federated credential subject does not match the workflow (branch, environment, or tag).- A missing
id-token: writepermission breaks OIDC login.
Security and pinning
- Use OIDC federated credentials rather than a
credsservice-principal secret.
Alternatives and related
Frequently asked questions
How do I log in to Azure without a client secret?
Add a federated credential to your app registration for the repo, then use
client-id/tenant-id/subscription-id with permissions: id-token: write.