Skip to content
Latchkey

az login: Authenticate Azure CLI in CI

Authenticate the Azure CLI, typically with a service principal or OIDC federated credential in CI.

az login signs the Azure CLI in. Interactive login is impossible in CI, so pipelines use a service principal with --service-principal or a federated OIDC token. After login, every az command runs against the chosen subscription.

Common flags

  • --service-principal - log in as an app registration
  • -u APP_ID and -p SECRET_OR_CERT - client id and secret
  • --tenant TENANT_ID - Azure AD tenant
  • --federated-token TOKEN - OIDC token (no stored secret)

Example in CI

Log in with a service principal secret stored in CI.

shell
az login --service-principal \
  -u "${{ secrets.AZURE_CLIENT_ID }}" \
  -p "${{ secrets.AZURE_CLIENT_SECRET }}" \
  --tenant "${{ secrets.AZURE_TENANT_ID }}"

Common errors in CI

  • AADSTS7000215: Invalid client secret provided - wrong or expired secret
  • AADSTS700016: Application ... not found in the directory - wrong client id or tenant
  • No subscriptions found ... - the SP has no role assignment on any subscription

Key takeaways

  • Signs the Azure CLI in via service principal or federated OIDC in CI.
  • Prefer --federated-token (OIDC) to avoid storing long-lived secrets.
  • Most failures are expired secrets or missing subscription role assignments.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →