Skip to content
Latchkey

How to Authenticate to Azure AKS in GitHub Actions

azure/login signs in with a federated OIDC credential, then azure/aks-set-context fetches the AKS kubeconfig for kubectl.

Sign in with azure/login using client-id, tenant-id, and subscription-id (federated, no secret), then run azure/aks-set-context to target your cluster.

Steps

  • Register a federated credential on the app registration for your repo and branch.
  • Grant permissions: id-token: write to the job.
  • Run azure/login with the client, tenant, and subscription IDs.
  • Run azure/aks-set-context with the resource group and cluster name.

Workflow

.github/workflows/deploy.yml
permissions:
  id-token: write
  contents: read
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - uses: azure/aks-set-context@v4
        with:
          resource-group: prod-rg
          cluster-name: prod-aks
      - run: kubectl apply -f k8s/

Gotchas

  • For an AKS cluster with Azure AD/RBAC, the app needs an Azure RBAC role like Azure Kubernetes Service Cluster User.
  • aks-set-context can use admin credentials with admin: true, but prefer scoped user access.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →