Skip to content
Latchkey

GitHub Actions azure/login "Az CLI Login failed"

azure/login authenticates with either a service-principal secret (creds JSON) or OIDC federation (client-id/tenant-id/subscription-id plus id-token). Wrong, expired, or incomplete credentials cause the Az CLI login to fail.

What this error means

An azure/login step fails with "Az CLI Login failed", sometimes mentioning the federated token, the client id, or an invalid secret.

github-actions
Error: Az CLI Login failed. Please check the credentials and make sure az is installed.
Error: AADSTS70021: No matching federated identity record found for presented assertion.

Common causes

OIDC federation not configured

For client-id based login, the app registration needs a federated credential matching the repo/branch subject, and the job needs id-token: write.

Bad or expired service-principal secret

A creds JSON with a rotated or invalid client secret fails authentication.

How to fix it

Use OIDC with a matching federated credential

  1. Add permissions: id-token: write and contents: read.
  2. Pass client-id, tenant-id, subscription-id and configure a federated credential for the repo/ref.
  3. For secret-based login, refresh the creds JSON with a valid secret.
.github/workflows/ci.yml
permissions:
  id-token: write
  contents: read
steps:
  - uses: azure/login@v2
    with:
      client-id: ${{ secrets.AZURE_CLIENT_ID }}
      tenant-id: ${{ secrets.AZURE_TENANT_ID }}
      subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

How to prevent it

  • Prefer OIDC federation over stored client secrets.
  • Scope the federated credential subject to the exact repo and ref.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →