How to Authenticate Terraform to GCP and Azure With OIDC
Workload Identity Federation on GCP and OIDC federated credentials on Azure both hand Terraform temporary credentials, keeping static keys out of CI.
On GCP use google-github-actions/auth with workload_identity_provider; on Azure use azure/login with a federated credential. Both require id-token: write and avoid storing a JSON key or client secret.
GCP auth
.github/workflows/ci.yml
permissions:
id-token: write
contents: read
steps:
- uses: google-github-actions/auth@v2
with:
workload_identity_provider: projects/123/locations/global/workloadIdentityPools/gh/providers/gh
service_account: tf-ci@acme.iam.gserviceaccount.comAzure auth
.github/workflows/ci.yml
permissions:
id-token: write
contents: read
steps:
- uses: azure/login@v2
with:
client-id: ${{ vars.AZURE_CLIENT_ID }}
tenant-id: ${{ vars.AZURE_TENANT_ID }}
subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}Gotchas
- For the azurerm provider, set
use_oidc = trueso it consumes the federated token. - Bind the GCP provider or Azure federated credential to your exact repo and branch subject.
Related guides
How to Authenticate Terraform to AWS With OIDC in CIAuthenticate Terraform to AWS from GitHub Actions using OIDC and a short-lived assumed role, removing long-li…
How to Configure GCS and azurerm Remote State in CISet up a Terraform gcs or azurerm remote state backend for CI, where object versioning and blob leases provid…