From b04cd7ece0b46f77ceba1ac6d57b8be31a61e8db Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Fri, 22 May 2026 13:32:46 +0200 Subject: [PATCH] document ACR OIDC login with Azure Login Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- README.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/README.md b/README.md index 98d0bfa..00a3a41 100644 --- a/README.md +++ b/README.md @@ -117,6 +117,8 @@ instead of a password. ### Azure Container Registry (ACR) +#### Service principal + [Create a service principal](https://docs.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal#create-a-service-principal) with access to your container registry through the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) and take note of the generated service principal's ID (also called _client ID_) @@ -144,6 +146,53 @@ jobs: > Replace `` with the name of your registry. +#### OpenID Connect (OIDC) + +To authenticate with OpenID Connect, configure a federated identity credential +for GitHub Actions and use the [Azure Login](https://github.com/Azure/login) +action to sign in to Azure. Then expose an ACR access token and pass it to this +action as the password. + +```yaml +name: ci + +on: + push: + branches: main + +permissions: + contents: read + id-token: write + +jobs: + login: + runs-on: ubuntu-latest + steps: + - + name: Login to Azure + uses: azure/login@v3 + with: + client-id: ${{ vars.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }} + - + name: Get ACR access token + id: acr-token + run: | + ACR_TOKEN=$(az acr login --name --expose-token --output tsv --query accessToken) + echo "::add-mask::$ACR_TOKEN" # mask the token in workflow logs + echo "token=$ACR_TOKEN" >> "$GITHUB_OUTPUT" + - + name: Login to ACR + uses: docker/login-action@v4 + with: + registry: .azurecr.io + username: 00000000-0000-0000-0000-000000000000 + password: ${{ steps.acr-token.outputs.token }} +``` + +> Replace `` with the name of your registry. + ### Google Container Registry (GCR) > [Google Artifact Registry](#google-artifact-registry-gar) is the evolution of