Skip to content
Latchkey

How to Authenticate Terraform to GCP and Azure With OIDC

Workload Identity Federation on GCP and OIDC federated credentials on Azure both hand Terraform temporary credentials, keeping static keys out of CI.

On GCP use google-github-actions/auth with workload_identity_provider; on Azure use azure/login with a federated credential. Both require id-token: write and avoid storing a JSON key or client secret.

GCP auth

.github/workflows/ci.yml
permissions:
  id-token: write
  contents: read
steps:
  - uses: google-github-actions/auth@v2
    with:
      workload_identity_provider: projects/123/locations/global/workloadIdentityPools/gh/providers/gh
      service_account: tf-ci@acme.iam.gserviceaccount.com

Azure auth

.github/workflows/ci.yml
permissions:
  id-token: write
  contents: read
steps:
  - uses: azure/login@v2
    with:
      client-id: ${{ vars.AZURE_CLIENT_ID }}
      tenant-id: ${{ vars.AZURE_TENANT_ID }}
      subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}

Gotchas

  • For the azurerm provider, set use_oidc = true so it consumes the federated token.
  • Bind the GCP provider or Azure federated credential to your exact repo and branch subject.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →