Skip to content
Latchkey

azure/login: Authenticate to Azure in CI

azure/login authenticates your workflow to Azure, ideally via OIDC federated credentials.

With federated credentials, no client secret is stored. The action signs in so subsequent az CLI or Azure deploy steps are authenticated.

Key inputs (with:)

  • client-id: the Azure AD application (client) ID.
  • tenant-id: the Azure AD tenant ID.
  • subscription-id: the target subscription.
  • creds: a service-principal JSON (secret-based fallback).
  • enable-AzPSSession: also set up an Azure PowerShell session.

Example workflow (OIDC)

.github/workflows/ci.yml
jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - run: az group list -o table

On any runner

This action runs on any runner. Latchkey managed runners run it unchanged.

Key takeaways

  • OIDC federated credentials avoid storing a client secret.
  • OIDC needs permissions: id-token: write.
  • Later az CLI steps inherit the authenticated session.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →