Use GitHub Actions to connect to Azure
Learn how to use Azure login with either Azure PowerShell or Azure CLI to interact with your Azure resources.
To use Azure PowerShell or Azure CLI in a GitHub Actions workflow, you need to first log in with the Azure login action.
The Azure login action supports two different ways of authenticating with Azure:
- Service principal with secrets
- OpenID Connect (OIDC) with a Azure service principal using a Federated Identity Credential
By default, the login action logs in with the Azure CLI and sets up the GitHub Actions runner environment for Azure CLI. You can use Azure PowerShell with enable-AzPSSession property of the Azure login action. This sets up the GitHub Actions runner environment with the Azure PowerShell module.
You can use Azure login to connect to public or sovereign clouds including Azure Government and Azure Stack Hub.
Use the Azure login action with OpenID Connect
To set up an Azure Login with OpenID Connect and use it in a GitHub Actions workflow, you'll need:
- An Azure Active Directory application, with a service principal that has been assigned with an appropriate role to your subscription.
- An Azure Active Directory application configured with a federated credential to trust tokens issued by GitHub Actions to your GitHub repository. You can configure this in the Azure portal or with Microsoft Graph REST APIs.
- A GitHub Actions workflow that requests GitHub issue tokens to the workflow, and uses the Azure login action.
Create an Azure Active Directory application and service principal
You'll need to create an Azure Active Directory application and service principal and then assign a role on your subscription to your application so that your workflow has access to your subscription.
If you do not have an existing application, register a new Azure Active Directory application and service principal that can access resources. As part of this process, make sure to:
- Register your application with Azure AD and create a service principal
- Assign a role to the application
Open App registrations in Azure portal and find your application. Copy the values for Application (client) ID and Directory (tenant) ID to use in your GitHub Actions workflow.
Open Subscriptions in Azure portal and find your subscription. Copy the Subscription ID.
Add federated credentials
You can add federated credentials in the Azure portal or with the Microsoft Graph REST API.
- Go to App registrations in the Azure portal and open the app you want to configure.
- Within the app, go to Certificates and secrets.
- In the Federated credentials tab, select Add credential.
- Select the credential scenario GitHub Actions deploying Azure resources. Generate your credential by entering your credential details.
| Field | Description | Example |
|---|---|---|
| Organization | Your GitHub organization name or GitHub username. | contoso |
| Repository | Your GitHub Repository name. | contoso-app |
| Entity type | The filter used to scope the OIDC requests from GitHub workflows. This field is used to generate the subject claim. |
Environment, Branch, Pull request, Tag |
| GitHub name | The name of the environment, branch, or tag. | main |
| Name | Identifier for the federated credential. | contoso-deploy |
For a more detailed overview, see Configure an app to trust a GitHub repo.
Create GitHub secrets
You need to provide your application's Client ID, Tenant ID and Subscription ID to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.
Open your GitHub repository and go to Settings.
Select Security > Secrets and variables > Actions.
Create secrets for
AZURE_CLIENT_ID,AZURE_TENANT_ID, andAZURE_SUBSCRIPTION_ID. Use these values from your Azure Active Directory application for your GitHub secrets:GitHub Secret Azure Active Directory Application AZURE_CLIENT_ID Application (client) ID AZURE_TENANT_ID Directory (tenant) ID AZURE_SUBSCRIPTION_ID Subscription ID Save each secret by selecting Add secret.
Set up Azure Login with OpenID Connect authentication
Your GitHub Actions workflow uses OpenID Connect to authenticate with Azure. To learn more about this interaction, see the GitHub Actions documentation.
In this example, you'll use OpenID Connect Azure CLI to authenticate with Azure with the Azure login action. The example uses GitHub secrets for the client-id, tenant-id, and subscription-id values. You can also pass these values directly in the login action.
The Azure login action includes an optional audience input parameter that defaults to api://AzureADTokenExchange. You can update this parameter for custom audience values.
This workflow authenticates with OpenID Connect and uses Azure CLI to get the details of the connected subscription and list resource group.
name: Run Azure Login with OpenID Connect
on: [push]
permissions:
id-token: write
contents: read
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: 'Az CLI login'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: 'Run Azure CLI commands'
run: |
az account show
az group list
pwd
Verify successful Azure Login with OpenID
Open the Az CLI login action and verify that it ran successfully. You should see the message Login successful. If your login is unsuccessful, you'll see the message Az CLI Login failed..
Use the Azure login action with a service principal secret
To use Azure login with a service principal, you first need to add your Azure service principal as a secret to your GitHub repository.
Create a service principal
In this example, you will create a secret named AZURE_CREDENTIALS that you can use to authenticate with Azure.
Open Azure Cloud Shell in the Azure portal or Azure CLI locally.
Note
If you are using Azure Stack Hub, you'll need to set your SQL Management endpoint to
not supported.az cloud update -n {environmentName} --endpoint-sql-management https://notsupportedCreate a new service principal in the Azure portal for your app. The service principal must be assigned with an appropriate role.
az ad sp create-for-rbac --name "myApp" --role contributor \ --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \ --json-authThe parameter
--json-authoutputs the result dictionary accepted by the login action, accessible in Azure CLI versions >= 2.51.0. Versions prior to this use--sdk-authwith a deprecation warning.Copy the JSON object for your service principal.
{ "clientId": "<GUID>", "clientSecret": "<GUID>", "subscriptionId": "<GUID>", "tenantId": "<GUID>", (...) }
Add the service principal as a GitHub secret
In GitHub, go to your repository.
Go to Settings in the navigation menu.
Select Security > Secrets and variables > Actions.
Select New repository secret.
Paste the entire JSON output from the Azure CLI command into the secret's value field. Give the secret the name
AZURE_CREDENTIALS.Select Add secret.
Use the Azure login action
Use the service principal secret with the Azure Login action to authenticate to Azure.
In this workflow, you authenticate using the Azure login action with the service principal details stored in secrets.AZURE_CREDENTIALS. Then, you run an Azure CLI action. For more information about referencing GitHub secrets in a workflow file, see Using encrypted secrets in a workflow in GitHub Docs.
Once you have a working Azure login step, you can use the Azure PowerShell or Azure CLI actions. You can also use other Azure actions, like Azure webapp deploy and Azure functions.
on: [push]
name: AzureLoginSample
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: Log in with Azure
uses: azure/login@v1
with:
creds: '${{ secrets.AZURE_CREDENTIALS }}'
Use the Azure PowerShell action
In this example, you log in with the Azure Login action and then retrieve a resource group with the Azure PowerShell action.
on: [push]
name: AzureLoginSample
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: Log in with Azure
uses: azure/login@v1
with:
creds: '${{ secrets.AZURE_CREDENTIALS }}'
enable-AzPSSession: true
- name: Azure PowerShell Action
uses: Azure/powershell@v1
with:
inlineScript: Get-AzResourceGroup -Name "< YOUR RESOURCE GROUP >"
azPSVersion: "latest"
Use the Azure CLI action
In this example, you log in with the Azure Login action and then retrieve a resource group with the Azure CLI action.
on: [push]
name: AzureLoginSample
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: Log in with Azure
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Azure CLI script
uses: azure/CLI@v1
with:
azcliversion: 2.0.72
inlineScript: |
az account show
az storage -h
Connect to Azure Government and Azure Stack Hub clouds
To log in to one of the Azure Government clouds, set the optional parameter environment with supported cloud names AzureUSGovernment or AzureChinaCloud. If this parameter is not specified, it takes the default value AzureCloud and connects to the Azure Public Cloud.
- name: Login to Azure US Gov Cloud with CLI
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_US_GOV_CREDENTIALS }}
environment: 'AzureUSGovernment'
enable-AzPSSession: false
- name: Login to Azure US Gov Cloud with Az Powershell
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_US_GOV_CREDENTIALS }}
environment: 'AzureUSGovernment'
enable-AzPSSession: true
Connect with other Azure services
The following articles provide details on connecting to GitHub from Azure and other services.
Azure Active Directory
Power BI
Connectors
Azure Databricks
Feedback
Submit and view feedback for