How to Authenticate to Azure AKS in GitHub Actions
azure/login signs in with a federated OIDC credential, then azure/aks-set-context fetches the AKS kubeconfig for kubectl.
Sign in with azure/login using client-id, tenant-id, and subscription-id (federated, no secret), then run azure/aks-set-context to target your cluster.
Steps
- Register a federated credential on the app registration for your repo and branch.
- Grant
permissions: id-token: writeto the job. - Run
azure/loginwith the client, tenant, and subscription IDs. - Run
azure/aks-set-contextwith the resource group and cluster name.
Workflow
.github/workflows/deploy.yml
permissions:
id-token: write
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- uses: azure/aks-set-context@v4
with:
resource-group: prod-rg
cluster-name: prod-aks
- run: kubectl apply -f k8s/Gotchas
- For an AKS cluster with Azure AD/RBAC, the app needs an Azure RBAC role like Azure Kubernetes Service Cluster User.
- aks-set-context can use admin credentials with
admin: true, but prefer scoped user access.
Related guides
How to Authenticate to Amazon EKS via OIDC in GitHub ActionsAuthenticate to an Amazon EKS cluster from GitHub Actions without static keys by assuming an IAM role through…
How to Authenticate to GKE via Workload Identity Federation in GitHub ActionsAuthenticate to Google Kubernetes Engine from GitHub Actions keylessly with Workload Identity Federation, the…