Skip to content
Latchkey

How to Deploy to GKE or Cloud Run via OIDC From Azure Pipelines

Exchange an Azure DevOps OIDC token for short-lived Google credentials via Workload Identity Federation, then run gcloud.

Get an OIDC token from the pipeline, exchange it through a Workload Identity Federation pool with the STS endpoint, write the credential file, then run gcloud run deploy.

Steps

  • Create a Workload Identity pool and provider trusting the Azure DevOps issuer.
  • Get an OIDC token via an azureRM service connection with workload identity.
  • Write a credential config and point GOOGLE_APPLICATION_CREDENTIALS at it.
  • Run gcloud run deploy or apply manifests to GKE.

azure-pipelines.yml

azure-pipelines.yml
pool:
  vmImage: ubuntu-latest
steps:
  - task: AzureCLI@2
    inputs:
      azureSubscription: 'azdo-oidc'
      scriptType: bash
      scriptLocation: inlineScript
      inlineScript: |
        echo "$idToken" > /tmp/oidc.jwt
        gcloud iam workload-identity-pools create-cred-config \
          projects/123/locations/global/workloadIdentityPools/azdo/providers/azdo \
          --service-account=deployer@my-proj.iam.gserviceaccount.com \
          --credential-source-file=/tmp/oidc.jwt --output-file=/tmp/gcp.json
        export GOOGLE_APPLICATION_CREDENTIALS=/tmp/gcp.json
        gcloud run deploy web --image gcr.io/my-proj/web:$(Build.BuildId) --region us-central1

Gotchas

  • The provider attribute condition must match the Azure DevOps token subject or the exchange is rejected.
  • Federated credentials are short-lived; keep deploys within the token lifetime.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →