az login: Authenticate Azure CLI in CI
Authenticate the Azure CLI, typically with a service principal or OIDC federated credential in CI.
az login signs the Azure CLI in. Interactive login is impossible in CI, so pipelines use a service principal with --service-principal or a federated OIDC token. After login, every az command runs against the chosen subscription.
Common flags
--service-principal- log in as an app registration-u APP_IDand-p SECRET_OR_CERT- client id and secret--tenant TENANT_ID- Azure AD tenant--federated-token TOKEN- OIDC token (no stored secret)
Example in CI
Log in with a service principal secret stored in CI.
shell
az login --service-principal \
-u "${{ secrets.AZURE_CLIENT_ID }}" \
-p "${{ secrets.AZURE_CLIENT_SECRET }}" \
--tenant "${{ secrets.AZURE_TENANT_ID }}"Common errors in CI
- AADSTS7000215: Invalid client secret provided - wrong or expired secret
- AADSTS700016: Application ... not found in the directory - wrong client id or tenant
- No subscriptions found ... - the SP has no role assignment on any subscription
Key takeaways
- Signs the Azure CLI in via service principal or federated OIDC in CI.
- Prefer --federated-token (OIDC) to avoid storing long-lived secrets.
- Most failures are expired secrets or missing subscription role assignments.
Related guides
az acr login: Authenticate to ACR in CILog Docker into Azure Container Registry from CI: flags, a push example, and the registry authentication erro…
az aks get-credentials: AKS kubeconfig in CIFetch AKS cluster credentials into kubeconfig from CI: the key flags, a pipeline example, and the auth and ac…
az keyvault secret show: Read Key Vault in CIRead a secret from Azure Key Vault in CI: flags to extract the value, an example, and the access policy error…