azure/login: Authenticate to Azure in CI
azure/login authenticates your workflow to Azure, ideally via OIDC federated credentials.
With federated credentials, no client secret is stored. The action signs in so subsequent az CLI or Azure deploy steps are authenticated.
Key inputs (with:)
- client-id: the Azure AD application (client) ID.
- tenant-id: the Azure AD tenant ID.
- subscription-id: the target subscription.
- creds: a service-principal JSON (secret-based fallback).
- enable-AzPSSession: also set up an Azure PowerShell session.
Example workflow (OIDC)
.github/workflows/ci.yml
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- run: az group list -o tableOn any runner
This action runs on any runner. Latchkey managed runners run it unchanged.
Key takeaways
- OIDC federated credentials avoid storing a client secret.
- OIDC needs permissions: id-token: write.
- Later az CLI steps inherit the authenticated session.
Related guides
aws-actions/configure-aws-credentials: Auth to AWS in CIReference for aws-actions/configure-aws-credentials: assume an IAM role via OIDC (no static keys) and set AWS…
google-github-actions/auth: Authenticate to Google CloudReference for google-github-actions/auth: authenticate to Google Cloud via Workload Identity Federation (keyl…
hashicorp/setup-terraform: Install Terraform in CIReference for hashicorp/setup-terraform: install a pinned Terraform version and optionally wrap commands to e…