### Implement OIDC Login Workflow Source: https://context7.com/azure/login/llms.txt A complete workflow example using OIDC authentication, requiring id-token permissions. ```yaml # File: .github/workflows/azure-oidc-login.yml name: Azure OIDC Login on: [push] permissions: id-token: write contents: read jobs: deploy: runs-on: ubuntu-latest steps: - name: Azure Login with OIDC uses: azure/login@v3 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Run Azure CLI commands uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show az group list --output table ``` -------------------------------- ### Azure Login without Subscription Source: https://github.com/azure/login/blob/master/README.md This example demonstrates how to log in to Azure without requiring a subscription, which is useful for tenant-level commands like `az ad`. Set `allow-no-subscriptions` to `true`. ```yaml # File: .github/workflows/workflow.yml on: [push] name: Run Azure Login without subscription jobs: build-and-deploy: runs-on: ubuntu-latest steps: - name: Azure Login uses: azure/login@v3 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} allow-no-subscriptions: true enable-AzPSSession: true - name: Azure CLI script uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show - name: Run Azure PowerShell uses: azure/powershell@v3 with: azPSVersion: "latest" inlineScript: | Get-AzContext ``` -------------------------------- ### Azure Login Action - User-Assigned Managed Identity Authentication Source: https://context7.com/azure/login/llms.txt Guide on authenticating to Azure using a user-assigned managed identity, useful for self-hosted runners requiring specific identity configurations. ```APIDOC ## POST /azure/login (User-Assigned Managed Identity) ### Description Authenticates to Azure using a user-assigned managed identity. This method is applicable for self-hosted runners where a specific user-assigned managed identity needs to be utilized for authentication. The client ID of the managed identity must be provided. ### Method POST ### Endpoint /azure/login ### Parameters #### Query Parameters - **auth-type** (string) - Required - Set to `IDENTITY` to use managed identity authentication. - **client-id** (string) - Required - Client ID of the user-assigned managed identity. - **tenant-id** (string) - Required - Azure AD tenant ID. - **subscription-id** (string) - Optional - Azure subscription ID. If not provided, the default subscription will be used. ### Request Example ```yaml # Example for User-Assigned Managed Identity login - name: Azure Login with User-Assigned Identity uses: azure/login@v3 with: auth-type: "IDENTITY" client-id: "${{ secrets.USER_ASSIGNED_IDENTITY_CLIENT_ID }}" tenant-id: "${{ secrets.AZURE_TENANT_ID }}" subscription-id: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" ``` ### Response #### Success Response (200) - **token** (string) - Authentication token for Azure. - **subscription** (object) - Details of the active Azure subscription. #### Response Example ```json { "token": "eyJ...".", "subscription": { "id": "00000000-0000-0000-0000-000000000000", "name": "MySubscription" } } ``` ``` -------------------------------- ### Complete CI/CD Deployment Workflow Source: https://context7.com/azure/login/llms.txt Demonstrates a full pipeline using OIDC authentication, ARM template deployment, and web app publishing. ```yaml name: Complete Azure Deployment on: push: branches: [main] permissions: id-token: write contents: read env: AZURE_WEBAPP_NAME: my-webapp AZURE_RESOURCE_GROUP: my-rg jobs: build-and-deploy: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Azure Login uses: azure/login@v3 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} enable-AzPSSession: true - name: Verify Login and List Resources uses: azure/cli@v2 with: azcliversion: latest inlineScript: | echo "Logged in as:" az account show --query "{Name:name, SubscriptionId:id, TenantId:tenantId}" --output table echo "Available resource groups:" az group list --query "[].{Name:name, Location:location}" --output table - name: Deploy Infrastructure with ARM uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az deployment group create \ --resource-group ${{ env.AZURE_RESOURCE_GROUP }} \ --template-file ./infrastructure/main.bicep \ --parameters environment=production - name: Deploy Web App uses: azure/webapps-deploy@v2 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} package: ./publish - name: Verify Deployment with PowerShell uses: azure/powershell@v3 with: azPSVersion: "latest" inlineScript: | $webapp = Get-AzWebApp -ResourceGroupName "${{ env.AZURE_RESOURCE_GROUP }}" -Name "${{ env.AZURE_WEBAPP_NAME }}" Write-Host "Web App State: $($webapp.State)" Write-Host "Default Hostname: $($webapp.DefaultHostName)" ``` -------------------------------- ### Configure Azure Login with Custom Cleanup Source: https://context7.com/azure/login/llms.txt Uses environment variables to toggle pre- and post-cleanup behavior during multi-subscription deployments. ```yaml name: Azure Login with Custom Cleanup on: [push] permissions: id-token: write contents: read jobs: deploy: runs-on: ubuntu-latest steps: # Enable pre-cleanup and post-cleanup - name: First Azure Login uses: azure/login@v3 env: AZURE_LOGIN_PRE_CLEANUP: true AZURE_LOGIN_POST_CLEANUP: true with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Deploy to first subscription uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az group list --output table # Disable cleanup to maintain session for subsequent logins - name: Second Azure Login uses: azure/login@v3 env: AZURE_LOGIN_PRE_CLEANUP: false AZURE_LOGIN_POST_CLEANUP: false with: client-id: ${{ secrets.AZURE_CLIENT_ID_2 }} tenant-id: ${{ secrets.AZURE_TENANT_ID_2 }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_2 }} - name: Deploy to second subscription uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az group list --output table ``` -------------------------------- ### Configure Basic OIDC Login Source: https://context7.com/azure/login/llms.txt A minimal configuration for OIDC-based authentication using GitHub secrets. ```yaml # Basic OIDC login configuration - name: Azure Login uses: azure/login@v3 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} ``` -------------------------------- ### Azure Login Action - Basic Configuration Source: https://context7.com/azure/login/llms.txt This snippet shows the basic configuration for the Azure Login action using OIDC with client ID, tenant ID, and subscription ID. ```APIDOC ## POST /azure/login ### Description Authenticates to Azure using provided credentials or managed identity. ### Method POST ### Endpoint /azure/login ### Parameters #### Query Parameters - **client-id** (string) - Optional - Client ID of service principal or user-assigned managed identity - **tenant-id** (string) - Optional - Azure AD tenant ID - **subscription-id** (string) - Optional - Azure subscription ID - **creds** (string) - Optional - JSON credentials for service principal authentication - **enable-AzPSSession** (boolean) - Optional - Enable Azure PowerShell login. Defaults to `false`. - **environment** (string) - Optional - Azure cloud environment. Defaults to `azurecloud`. - **allow-no-subscriptions** (boolean) - Optional - Allow login without subscription. Defaults to `false`. - **audience** (string) - Optional - JWT audience for OIDC. Defaults to `api://AzureADTokenExchange`. - **auth-type** (string) - Optional - Authentication type (SERVICE_PRINCIPAL or IDENTITY). Defaults to `SERVICE_PRINCIPAL`. ### Request Example ```yaml # Basic OIDC login configuration - name: Azure Login uses: azure/login@v3 with: client-id: "${{ secrets.AZURE_CLIENT_ID }}" tenant-id: "${{ secrets.AZURE_TENANT_ID }}" subscription-id: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" ``` ### Response #### Success Response (200) - **token** (string) - Authentication token for Azure - **subscription** (object) - Details of the active Azure subscription #### Response Example ```json { "token": "eyJ...".", "subscription": { "id": "00000000-0000-0000-0000-000000000000", "name": "MySubscription" } } ``` ``` -------------------------------- ### Azure Login Configuration Parameters Source: https://github.com/azure/login/blob/master/README.md Overview of the input parameters available for the Azure Login action to manage authentication and environment settings. ```APIDOC ## Azure Login Configuration ### Parameters #### Request Body - **subscription-id** (string) - Optional - Specifies the login subscription ID. Used in OIDC and managed identity. - **tenant-id** (string) - Optional - Specifies the login tenant ID. Used in OIDC and managed identity. - **creds** (string) - Optional - JSON string containing clientSecret, subscriptionId, tenantId, and clientId for service principal authentication. Ignored if client-id, subscription-id, or tenant-id are set. - **enable-AzPSSession** (boolean) - Optional - Set to true to log in with the Azure PowerShell module. Default is false (Azure CLI only). - **environment** (string) - Optional - Specifies the Azure cloud environment. Supported values: AzureCloud (default), AzureUSGovernment, AzureChinaCloud, AzureGermanCloud, AzureStack. - **allow-no-subscriptions** (boolean) - Optional - Set to true to allow login to tenants without subscriptions. - **audience** (string) - Optional - Custom audience for the JWT ID token when using OIDC. Default is api://AzureADTokenExchange. - **auth-type** (string) - Optional - Specifies authentication type. Default is SERVICE_PRINCIPAL. Use IDENTITY for Managed Identity. ### Request Example { "creds": "{\"clientSecret\": \"******\", \"subscriptionId\": \"******\", \"tenantId\": \"******\", \"clientId\": \"******\"}", "enable-AzPSSession": true, "environment": "AzureUSGovernment" } ``` -------------------------------- ### Azure Login Action - OIDC Authentication Source: https://context7.com/azure/login/llms.txt Demonstrates how to log in to Azure using OpenID Connect (OIDC) with federated credentials, which is the recommended secure method. ```APIDOC ## POST /azure/login (OIDC) ### Description Authenticates to Azure using OpenID Connect (OIDC) with federated credentials. This method is recommended for enhanced security as it avoids storing long-lived secrets. ### Method POST ### Endpoint /azure/login ### Parameters #### Query Parameters - **client-id** (string) - Required - Client ID of the service principal or managed identity configured with federated credentials. - **tenant-id** (string) - Required - Azure AD tenant ID. - **subscription-id** (string) - Optional - Azure subscription ID. If not provided, the default subscription will be used or an error may occur if multiple subscriptions are available. - **audience** (string) - Optional - JWT audience for OIDC. Defaults to `api://AzureADTokenExchange`. ### Request Example ```yaml # File: .github/workflows/azure-oidc-login.yml name: Azure OIDC Login on: [push] permissions: id-token: write contents: read jobs: deploy: runs-on: ubuntu-latest steps: - name: Azure Login with OIDC uses: azure/login@v3 with: client-id: "${{ secrets.AZURE_CLIENT_ID }}" tenant-id: "${{ secrets.AZURE_TENANT_ID }}" subscription-id: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" - name: Run Azure CLI commands uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show az group list --output table ``` ### Response #### Success Response (200) - **token** (string) - Authentication token for Azure. - **subscription** (object) - Details of the active Azure subscription. #### Response Example ```json { "token": "eyJ...".", "subscription": { "id": "00000000-0000-0000-0000-000000000000", "name": "MySubscription" } } ``` ``` -------------------------------- ### Azure Login Action Configuration Source: https://github.com/azure/login/blob/master/README.md Configure the azure/login action with your Azure credentials and enable Azure PowerShell sessions. Use environment variables to control pre and post-cleanup actions based on the runner's name. ```yaml - name: Azure Login uses: azure/login@v3 env: AZURE_LOGIN_PRE_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }} AZURE_LOGIN_POST_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }} with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} enable-AzPSSession: true ``` -------------------------------- ### Run Azure CLI with OIDC Source: https://github.com/azure/login/blob/master/README.md Workflow configuration for authenticating with Azure via OIDC and executing an Azure CLI command. ```yaml # File: .github/workflows/workflow.yml name: Run Azure Login with OIDC on: [push] permissions: id-token: write contents: read jobs: build-and-deploy: runs-on: ubuntu-latest steps: - name: Azure login uses: azure/login@v3 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Azure CLI script uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show ``` -------------------------------- ### Enable/Disable Cleanup Steps for Azure Login Source: https://github.com/azure/login/blob/master/README.md Control the cleanup behavior of the Azure Login action using environment variables. `AZURE_LOGIN_PRE_CLEANUP` controls the main step cleanup (disabled by default), and `AZURE_LOGIN_POST_CLEANUP` controls the post step cleanup (enabled by default). ```yaml # File: .github/workflows/workflow.yml on: [push] name: Cleanup examples for Multiple Azure Login jobs: deploy: runs-on: ubuntu-latest steps: # enable cleanup for the 1st Azure Login - name: Azure Login uses: azure/login@v3 env: AZURE_LOGIN_PRE_CLEANUP: true AZURE_LOGIN_POST_CLEANUP: true with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} enable-AzPSSession: true # run some actions # disable cleanup for all other Azure Login - name: Azure Login 2 uses: azure/login@v3 env: AZURE_LOGIN_PRE_CLEANUP: false AZURE_LOGIN_POST_CLEANUP: false with: client-id: ${{ secrets.AZURE_CLIENT_ID_2 }} tenant-id: ${{ secrets.AZURE_TENANT_ID_2 }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_2 }} enable-AzPSSession: true # run other actions # disable cleanup for all other Azure Login - name: Azure Login 3 uses: azure/login@v3 env: AZURE_LOGIN_PRE_CLEANUP: false AZURE_LOGIN_POST_CLEANUP: false with: client-id: ${{ secrets.AZURE_CLIENT_ID_3 }} tenant-id: ${{ secrets.AZURE_TENANT_ID_3 }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_3 }} enable-AzPSSession: true # run other actions ``` -------------------------------- ### Run Azure CLI and PowerShell with OIDC Source: https://github.com/azure/login/blob/master/README.md Workflow configuration for authenticating with Azure via OIDC and executing both Azure CLI and Azure PowerShell commands. ```yaml # File: .github/workflows/workflow.yml name: Run Azure Login with OIDC on: [push] permissions: id-token: write contents: read jobs: build-and-deploy: runs-on: ubuntu-latest steps: - name: Azure login uses: azure/login@v3 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} enable-AzPSSession: true - name: Azure CLI script uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show - name: Azure PowerShell script uses: azure/powershell@v3 with: azPSVersion: "latest" inlineScript: | Get-AzContext ``` -------------------------------- ### Login to Azure US Government Cloud Source: https://context7.com/azure/login/llms.txt Configures authentication for the Azure US Government cloud by setting the environment and audience parameters. ```yaml # File: .github/workflows/azure-gov-login.yml name: Azure US Government Login on: [push] permissions: id-token: write contents: read jobs: deploy: runs-on: ubuntu-latest steps: - name: Azure Login to US Government Cloud uses: azure/login@v3 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} environment: AzureUSGovernment audience: api://AzureADTokenExchangeUSGov - name: Run Azure CLI uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az cloud show az account show ``` -------------------------------- ### Login to Azure US Government cloud Source: https://github.com/azure/login/blob/master/README.md Configures a GitHub Actions workflow to authenticate specifically against the Azure US Government cloud environment. ```yaml on: [push] name: Login to Azure US Government cloud jobs: build-and-deploy: runs-on: ubuntu-latest steps: - uses: azure/login@v3 with: creds: ${{ secrets.AZURE_CREDENTIALS }} environment: 'AzureUSGovernment' enable-AzPSSession: true ``` -------------------------------- ### Login to Azure Stack Hub Source: https://context7.com/azure/login/llms.txt Configures authentication for hybrid cloud scenarios using a specific environment and credentials secret. ```yaml name: Azure Stack Hub Login on: [push] jobs: deploy: runs-on: ubuntu-latest steps: - name: Azure Login to Azure Stack Hub uses: azure/login@v3 with: creds: ${{ secrets.AZURE_STACK_CREDENTIALS }} environment: AzureStack enable-AzPSSession: true - name: Run Azure CLI on Stack uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az cloud show az account show ``` ```json { "clientId": "00000000-0000-0000-0000-000000000000", "clientSecret": "your-client-secret", "subscriptionId": "00000000-0000-0000-0000-000000000000", "tenantId": "00000000-0000-0000-0000-000000000000", "resourceManagerEndpointUrl": "https://management.local.azurestack.external" } ``` -------------------------------- ### Implement System-Assigned Managed Identity Login Source: https://context7.com/azure/login/llms.txt Workflow for self-hosted runners on Azure VMs using system-assigned managed identity. ```yaml # File: .github/workflows/azure-system-identity.yml name: Azure System-Assigned Managed Identity Login on: [push] jobs: deploy: runs-on: self-hosted steps: - name: Azure Login with System-Assigned Identity uses: azure/login@v3 with: auth-type: IDENTITY tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Run Azure CLI commands uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show az vm list --output table ``` -------------------------------- ### Implement Service Principal Secret Login Source: https://context7.com/azure/login/llms.txt Workflow using a service principal secret for authentication when OIDC is not available. ```yaml # File: .github/workflows/azure-sp-login.yml name: Azure Service Principal Login on: [push] jobs: deploy: runs-on: ubuntu-latest steps: - name: Azure Login with Service Principal uses: azure/login@v3 with: creds: ${{ secrets.AZURE_CREDENTIALS }} - name: Run Azure CLI commands uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show az webapp list --output table ``` -------------------------------- ### Login to Azure Stack Hub Cloud Source: https://github.com/azure/login/blob/master/README.md Use this snippet to log in to an Azure Stack Hub cloud using the azure/login action. Ensure your Azure credentials are provided via secrets. ```yaml on: [push] name: Login to Azure Stack Hub cloud jobs: build-and-deploy: runs-on: ubuntu-latest steps: - uses: azure/login@v3 with: creds: ${{ secrets.AZURE_CREDENTIALS }} environment: 'AzureStack' enable-AzPSSession: true ``` -------------------------------- ### Azure Login with Service Principal Secret (CLI Only) Source: https://github.com/azure/login/blob/master/README.md Workflow to log in using a service principal secret and run Azure CLI commands. ```yaml # File: .github/workflows/workflow.yml on: [push] name: Run Azure Login With a Service Principal Secret jobs: build-and-deploy: runs-on: ubuntu-latest steps: - uses: azure/login@v3 with: creds: ${{ secrets.AZURE_CREDENTIALS }} - name: Azure CLI script uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show ``` -------------------------------- ### Azure Login with Individual Service Principal Secrets Source: https://github.com/azure/login/blob/master/README.md Alternative login method passing individual service principal credentials as separate secrets. ```yaml - uses: azure/login@v3 with: creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}' ``` -------------------------------- ### Azure Login Action - System-Assigned Managed Identity Authentication Source: https://context7.com/azure/login/llms.txt Instructions for logging in to Azure using a system-assigned managed identity, typically used for self-hosted runners on Azure VMs. ```APIDOC ## POST /azure/login (System-Assigned Managed Identity) ### Description Authenticates to Azure using a system-assigned managed identity. This method is suitable for self-hosted runners deployed on Azure Virtual Machines where the system-assigned managed identity is enabled. No client credentials need to be explicitly provided. ### Method POST ### Endpoint /azure/login ### Parameters #### Query Parameters - **auth-type** (string) - Required - Set to `IDENTITY` to use managed identity authentication. - **tenant-id** (string) - Required - Azure AD tenant ID. - **subscription-id** (string) - Optional - Azure subscription ID. If not provided, the default subscription will be used. ### Request Example ```yaml # File: .github/workflows/azure-system-identity.yml name: Azure System-Assigned Managed Identity Login on: [push] jobs: deploy: runs-on: self-hosted steps: - name: Azure Login with System-Assigned Identity uses: azure/login@v3 with: auth-type: "IDENTITY" tenant-id: "${{ secrets.AZURE_TENANT_ID }}" subscription-id: "${{ secrets.AZURE_SUBSCRIPTION_ID }}" - name: Run Azure CLI commands uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show az vm list --output table ``` ### Response #### Success Response (200) - **token** (string) - Authentication token for Azure. - **subscription** (object) - Details of the active Azure subscription. #### Response Example ```json { "token": "eyJ...".", "subscription": { "id": "00000000-0000-0000-0000-000000000000", "name": "MySubscription" } } ``` ``` -------------------------------- ### Run Azure Login with System-assigned Managed Identity Source: https://github.com/azure/login/blob/master/README.md Configures a GitHub Actions workflow to authenticate using a system-assigned managed identity on a self-hosted runner. ```yaml name: Run Azure Login with System-assigned Managed Identity on: [push] jobs: build-and-deploy: runs-on: self-hosted steps: - name: Azure login uses: azure/login@v3 with: auth-type: IDENTITY tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} enable-AzPSSession: true # Azure CLI Action only supports linux self-hosted runners for now. # If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`. - name: Azure CLI script uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show - name: Azure PowerShell script uses: azure/powershell@v3 with: azPSVersion: "latest" inlineScript: | Get-AzContext Get-AzResourceGroup ``` -------------------------------- ### Login Without Subscription Source: https://context7.com/azure/login/llms.txt Allows tenant-level access without requiring a specific subscription, useful for Azure AD management tasks. ```yaml # File: .github/workflows/azure-no-subscription.yml name: Azure Login Without Subscription on: [push] permissions: id-token: write contents: read jobs: deploy: runs-on: ubuntu-latest steps: - name: Azure Login (Tenant-Level) uses: azure/login@v3 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} allow-no-subscriptions: true - name: Run Azure AD Commands uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az ad user list --query "[].{Name:displayName, UPN:userPrincipalName}" --output table ``` -------------------------------- ### Azure Login with Service Principal Secret (CLI & PowerShell) Source: https://github.com/azure/login/blob/master/README.md Workflow to log in using a service principal secret and run both Azure CLI and Azure PowerShell commands. ```yaml # File: .github/workflows/workflow.yml on: [push] name: Run Azure Login With a Service Principal Secret jobs: build-and-deploy: runs-on: ubuntu-latest steps: - uses: azure/login@v3 with: creds: ${{ secrets.AZURE_CREDENTIALS }} enable-AzPSSession: true - name: Azure CLI script uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show - name: Azure PowerShell script uses: azure/powershell@v3 with: azPSVersion: "latest" inlineScript: | Get-AzWebApp ``` -------------------------------- ### Enable Azure PowerShell Session Source: https://context7.com/azure/login/llms.txt Enables an Azure PowerShell session alongside the Azure CLI to allow execution of PowerShell cmdlets. ```yaml # File: .github/workflows/azure-powershell.yml name: Azure CLI and PowerShell Login on: [push] permissions: id-token: write contents: read jobs: deploy: runs-on: ubuntu-latest steps: - name: Azure Login with PowerShell Enabled uses: azure/login@v3 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} enable-AzPSSession: true - name: Run Azure CLI uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show - name: Run Azure PowerShell uses: azure/powershell@v3 with: azPSVersion: "latest" inlineScript: | Get-AzContext Get-AzResourceGroup | Format-Table Name, Location ``` -------------------------------- ### Define Azure Credentials JSON Source: https://context7.com/azure/login/llms.txt The expected JSON structure for the AZURE_CREDENTIALS secret. ```json { "clientId": "00000000-0000-0000-0000-000000000000", "clientSecret": "your-client-secret", "subscriptionId": "00000000-0000-0000-0000-000000000000", "tenantId": "00000000-0000-0000-0000-000000000000" } ``` -------------------------------- ### Run Azure Login with User-assigned Managed Identity Source: https://github.com/azure/login/blob/master/README.md Configures a GitHub Actions workflow to authenticate using a user-assigned managed identity on a self-hosted runner. ```yaml name: Run Azure Login with User-assigned Managed Identity on: [push] jobs: build-and-deploy: runs-on: self-hosted steps: - name: Azure login uses: azure/login@v3 with: auth-type: IDENTITY client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} enable-AzPSSession: true # Azure CLI Action only supports linux self-hosted runners for now. # If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`. - name: Azure CLI script uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show - name: Azure PowerShell script uses: azure/powershell@v3 with: azPSVersion: "latest" inlineScript: | Get-AzContext ``` -------------------------------- ### Azure Login Action - Service Principal Secret Authentication Source: https://context7.com/azure/login/llms.txt This section details how to authenticate to Azure using a service principal with a client secret, suitable when OIDC is not an option. ```APIDOC ## POST /azure/login (Service Principal Secret) ### Description Authenticates to Azure using a service principal with a client secret. This method is used when OIDC authentication is not feasible. Ensure the service principal credentials are stored securely as a JSON object in GitHub secrets. ### Method POST ### Endpoint /azure/login ### Parameters #### Request Body - **creds** (string) - Required - JSON string containing service principal credentials (`clientId`, `clientSecret`, `subscriptionId`, `tenantId`). ### Request Example ```yaml # File: .github/workflows/azure-sp-login.yml name: Azure Service Principal Login on: [push] jobs: deploy: runs-on: ubuntu-latest steps: - name: Azure Login with Service Principal uses: azure/login@v3 with: creds: "${{ secrets.AZURE_CREDENTIALS }}" - name: Run Azure CLI commands uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show az webapp list --output table ``` ### Request Body Example ```json { "clientId": "00000000-0000-0000-0000-000000000000", "clientSecret": "your-client-secret", "subscriptionId": "00000000-0000-0000-0000-000000000000", "tenantId": "00000000-0000-0000-0000-000000000000" } ``` ### Response #### Success Response (200) - **token** (string) - Authentication token for Azure. - **subscription** (object) - Details of the active Azure subscription. #### Response Example ```json { "token": "eyJ...".", "subscription": { "id": "00000000-0000-0000-0000-000000000000", "name": "MySubscription" } } ``` ``` -------------------------------- ### Authenticate with User-Assigned Managed Identity Source: https://context7.com/azure/login/llms.txt Uses a user-assigned managed identity for authentication in a self-hosted runner environment. ```yaml # File: .github/workflows/azure-user-identity.yml name: Azure User-Assigned Managed Identity Login on: [push] jobs: deploy: runs-on: self-hosted steps: - name: Azure Login with User-Assigned Identity uses: azure/login@v3 with: auth-type: IDENTITY client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Run Azure CLI commands uses: azure/cli@v2 with: azcliversion: latest inlineScript: | az account show ``` -------------------------------- ### Azure Login Action Creds JSON Format Source: https://github.com/azure/login/blob/master/README.md The `creds` parameter accepts a JSON string containing service principal credentials. Ensure this is kept as a GitHub Action secret. ```json { "clientSecret": "******", "subscriptionId": "******", "tenantId": "******", "clientId": "******" } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.