Use GitHub Actions to connect to Azure

Learn how to use Azure login with either Azure PowerShell or Azure CLI to interact with your Azure resources.

To use Azure PowerShell or Azure CLI in a GitHub Actions workflow, you need to first log in with the Azure login action.

The Azure login action supports two different ways of authenticating with Azure:

By default, the login action logs in with the Azure CLI and sets up the GitHub action runner environment for Azure CLI. You can use Azure PowerShell with enable-AzPSSession property of the Azure login action. This sets up the GitHub action runner environment with the Azure PowerShell module.

You can use Azure login to connect to public or sovereign clouds including Azure Government and Azure Stack Hub.

Use the Azure login action with OpenID Connect

To set up an Azure Login with OpenID Connect and use it in a GitHub Actions workflow, you'll need:

  • An Active Directory application, with a service principal that has contributor access to your subscription
  • An Active Directory application configured with a federated credential to trust tokens issued by GitHub Actions to your GitHub repository. You can configure this in the Azure portal or with Microsoft Graph REST APIs
  • A GitHub Actions workflow that requests GitHub issue tokens to the workflow, and uses the Azure login action

Create an active directory application and service principal

You'll need to create an Azure Active Directory application and service principal and then assign a role on your subscription to your application so that your workflow has access to your subscription.

  1. If you do not have an existing application, register a new Active Directory application and service principal that can access resources. As part of this process, make sure to:

    • Register your application with Azure AD and create a service principal
    • Assign a role to the application
  2. Open App registrations in Azure portal and find your application. Copy the values for Application (client) ID and Directory (tenant) ID to use in your GitHub Actions workflow.

  3. Open Subscriptions in Azure portal and find your subscription. Copy the Subscription ID.

Add federated credentials

You can add federated credentials in the Azure portal or with the Microsoft Graph REST API.

  1. Go to App registrations in the Azure portal and open the app you want to configure.
  2. Within the app, go to Certificates and secrets.
    Select Certificates & secrets.
  3. In the Federated credentials tab, select Add credential. Add the federated credential
  4. Select the credential scenario GitHub Actions deploying Azure resources. Generate your credential by entering your credential details.
Field Description Example
Organization Your GitHub organization name or GitHub username. contoso
Repository Your GitHub Repository name. contoso-app
Entity type The filter used to scope the OIDC requests from GitHub workflows. This field is used to generate the subject claim. Environment, Branch, Pull request, Tag
GitHub name The name of the environment, branch, or tag. main
Name Identifier for the federated credential. contoso-deploy

For a more detailed overview, see Configure an app to trust a GitHub repo.

Create GitHub secrets

You need to provide your application's Client ID, Tenant ID and Subscription ID to the login action. These values can either be provided directly in the workflow or can be stored in GitHub secrets and referenced in your workflow. Saving the values as GitHub secrets is the more secure option.

  1. Open your GitHub repository and go to Settings.

    Select Settings in the navigation

  2. Select Secrets and then New Secret.

    Choose to add a secret

  3. Create secrets for AZURE_CLIENTID, AZURE_TENANTID, and AZURE_SUBSCRIPTION_ID. Use these values from your Active Directory application for your GitHub secrets:

    GitHub Secret Active Directory Application
    AZURE_CLIENTID Application (client) ID
    AZURE_TENANTID Directory (tenant) ID
    AZURE_SUBSCRIPTION_ID Subscription ID
  4. Save each secret by selecting Add secret.

Set up Azure Login with OpenID Connect authentication

Your GitHub Actions workflow uses OpenID Connect to authenticate with Azure. To learn more about this interaction, see the GitHub Actions documentation.

In this example, you'll use OpenID Connect Azure CLI to authenticate with Azure with the Azure login action. The example uses GitHub secrets for the client-id, tenant-id, and subscription-id values. You can also pass these values directly in the login action.

The Azure login action includes an optional audience input parameter that defaults to api://AzureADTokenExchange. You can update this parameter for custom audience values.

This workflow authenticates with OpenID Connect and uses Azure CLI to get the details of the connected subscription and list resource group.

name: Run Azure Login with OpenID Connect
on: [push]

permissions:
      id-token: write
      contents: read
      
jobs: 
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
    - name: 'Az CLI login'
      uses: azure/login@v1
      with:
          client-id: ${{ secrets.AZURE_CLIENTID }}
          tenant-id: ${{ secrets.AZURE_TENANTID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
  
    - name: 'Run Azure CLI commands'
      run: |
          az account show
          az group list
          pwd 

Verify successful Azure Login with OpenID

Open the Az CLI login action and verify that it ran successfully. You should see the message Login successful. If your login is unsuccessful, you'll see the message Az CLI Login failed..

GitHub Actions Azure Login successful.

Use the Azure login action with a service principal secret

To use Azure login with a service principal, you first need to add your Azure service principal as a secret to your GitHub repository.

Create a service principal and add it as a GitHub secret

In this example, you will create a secret named AZURE_CREDENTIALS that you can use to authenticate with Azure.

  1. Open Azure Cloud Shell in the Azure portal or Azure CLI locally.

    Note

    If you are using Azure Stack Hub, you'll need to set your SQL Management endpoint to not supported. az cloud update -n {environmentName} --endpoint-sql-management https://notsupported

  2. Create a new service principal in the Azure portal for your app. The service principal must be assigned the Contributor role.

        az ad sp create-for-rbac --name "myApp" --role contributor \
                                    --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
                                    --sdk-auth
    
  3. Copy the JSON object for your service principal.

    {
        "clientId": "<GUID>",
        "clientSecret": "<GUID>",
        "subscriptionId": "<GUID>",
        "tenantId": "<GUID>",
        (...)
    }
    
  4. Open your GitHub repository and go to Settings.

    Select Settings in the navigation

  5. Select Secrets and then New Secret.

    Choose to add a secret

  6. Paste in your JSON object for your service principal with the name AZURE_CREDENTIALS.

    Add a secret in GitHub

  7. Save by selecting Add secret.

Use the Azure login action

Use the service principal secret with the Azure Login action to authenticate to Azure.

In this workflow, you authenticate using the Azure login action with the service principal details stored in secrets.AZURE_CREDENTIALS. Then, you run an Azure CLI action. For more information about referencing GitHub secrets in a workflow file, see Using encrypted secrets in a workflow in GitHub Docs.

Once you have a working Azure login step, you can use the Azure PowerShell or Azure CLI actions. You can also use other Azure actions, like Azure webapp deploy and Azure functions.

on: [push]

name: AzureLoginSample

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Log in with Azure
        uses: azure/login@v1
        with:
          creds: '${{ secrets.AZURE_CREDENTIALS }}'

Use the Azure PowerShell action

In this example, you log in with the Azure Login action and then retrieve a resource group with the Azure PowerShell action.

on: [push]

name: AzureLoginSample

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Log in with Azure
        uses: azure/login@v1
        with:
          creds: '${{ secrets.AZURE_CREDENTIALS }}'
          enable-AzPSSession: true
      - name: Azure PowerShell Action
        uses: Azure/powershell@v1
        with:
          inlineScript: Get-AzVM -ResourceGroupName "< YOUR RESOURCE GROUP >"
          azPSVersion: 3.1.0

Use the Azure CLI action

In this example, you log in with the Azure Login action and then retrieve a resource group with the Azure CLI action.

on: [push]

name: AzureLoginSample

jobs:
build-and-deploy:
    runs-on: ubuntu-latest
    steps:

    - name: Log in with Azure
        uses: azure/login@v1
        with:
        creds: ${{ secrets.AZURE_CREDENTIALS }}

    - name: Azure CLI script
        uses: azure/CLI@v1
        with:
        azcliversion: 2.0.72
        inlineScript: |
            az account show
            az storage -h

Connect to Azure Government and Azure Stack Hub clouds

To log in to one of the Azure Government clouds, set the optional parameter environment with supported cloud names AzureUSGovernment or AzureChinaCloud. If this parameter is not specified, it takes the default value AzureCloud and connects to the Azure Public Cloud.

   - name: Login to Azure US Gov Cloud with CLI
     uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_US_GOV_CREDENTIALS }}
          environment: 'AzureUSGovernment'
          enable-AzPSSession: false
   - name: Login to Azure US Gov Cloud with Az Powershell
      uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_US_GOV_CREDENTIALS }}
          environment: 'AzureUSGovernment'
          enable-AzPSSession: true

Connect with other Azure services

The following articles provide details on connecting to GitHub from Azure and other services.

Azure Active Directory

Power BI

Connectors

Azure Databricks