Skip to content
Latchkey

How to Use Workload Identity Federation for Azure in Azure Pipelines

A workload identity federation service connection swaps a short-lived OIDC token for Azure access, so no client secret is stored in the pipeline.

Create an ARM service connection using the workload identity federation credential type. Tasks like AzureCLI@2 then authenticate through it with no secret, using a federated credential tied to your Azure DevOps organization.

Steps

  • Create an ARM service connection with credential type Workload identity federation.
  • Azure DevOps registers a federated credential on the app registration.
  • Reference the connection from an Azure task as usual.

Pipeline

azure-pipelines.yml
steps:
  - task: AzureCLI@2
    inputs:
      azureSubscription: 'prod-wif-connection'
      scriptType: bash
      scriptLocation: inlineScript
      inlineScript: |
        az account show --output table
    displayName: Auth via workload identity federation

Gotchas

  • No client secret is stored, so there is nothing to rotate or leak.
  • The federated credential subject must match the service connection, so do not reuse it across connections.
  • The Azure task transparently performs the OIDC token exchange; you do not script the login.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →