How to Use Workload Identity Federation for Azure in Azure Pipelines
A workload identity federation service connection swaps a short-lived OIDC token for Azure access, so no client secret is stored in the pipeline.
Create an ARM service connection using the workload identity federation credential type. Tasks like AzureCLI@2 then authenticate through it with no secret, using a federated credential tied to your Azure DevOps organization.
Steps
- Create an ARM service connection with credential type Workload identity federation.
- Azure DevOps registers a federated credential on the app registration.
- Reference the connection from an Azure task as usual.
Pipeline
azure-pipelines.yml
steps:
- task: AzureCLI@2
inputs:
azureSubscription: 'prod-wif-connection'
scriptType: bash
scriptLocation: inlineScript
inlineScript: |
az account show --output table
displayName: Auth via workload identity federationGotchas
- No client secret is stored, so there is nothing to rotate or leak.
- The federated credential subject must match the service connection, so do not reuse it across connections.
- The Azure task transparently performs the OIDC token exchange; you do not script the login.
Related guides
How to Run the Azure CLI With a Service Connection in Azure PipelinesRun authenticated az commands in Azure Pipelines with the AzureCLI@2 task, passing an azureSubscription servi…
How to Deploy a Web App With the AzureWebApp Task in Azure PipelinesDeploy a built package to Azure App Service from Azure Pipelines with the AzureWebApp@1 task, pointing it at…