Azure Login Buildkite Plugin
A Buildkite plugin that authenticates to Azure using managed identity or service principal credentials.
Authentication Methods
This plugin supports two authentication methods:
-
Managed Identity - Uses Azure managed identity (
az login --identity). Ideal for agents running on Azure VMs or Azure Container Instances with assigned managed identities. -
Service Principal - Uses Azure service principal credentials (
az login --service-principal). Suitable for any environment where you have service principal credentials available.
Options
hook (optional, string)
Which Buildkite hook to run the Azure login in. Valid values are environment and pre-command.
Default: environment
use-identity (optional, boolean)
When set to true, authenticates using managed identity (az login --identity).
Default: false
client-id (optional, string)
The Application (client) ID for service principal authentication. When using managed identity with multiple identities assigned, this can be used to specify which identity to use.
client-secret (optional, string)
The client secret for service principal authentication. This can be either:
- A direct secret value
- An environment variable name containing the secret (the plugin will resolve it)
Required when using service principal authentication.
tenant-id (optional, string)
The Azure tenant ID. Required when using service principal authentication.
Examples
Managed Identity
Authenticate using the Azure managed identity assigned to the VM or container:
steps:
- label: ":azure: Deploy to Azure"
command: "az account show"
plugins:
- azure-login#v1.0.1:
use-identity: trueManaged Identity with Specific Client ID
When multiple managed identities are assigned, specify which one to use:
steps:
- label: ":azure: Deploy to Azure"
command: "az account show"
plugins:
- azure-login#v1.0.1:
use-identity: true
client-id: "00000000-0000-0000-0000-000000000000"Service Principal
Authenticate using service principal credentials:
steps:
- label: ":azure: Deploy to Azure"
command: "az account show"
plugins:
- azure-login#v1.0.1:
client-id: "00000000-0000-0000-0000-000000000000"
client-secret: "your-client-secret"
tenant-id: "00000000-0000-0000-0000-000000000000"Service Principal with Environment Variable Secret
Use an environment variable to provide the client secret:
steps:
- label: ":azure: Deploy to Azure"
command: "az account show"
env:
AZURE_CLIENT_SECRET: "your-client-secret"
plugins:
- azure-login#v1.0.1:
client-id: "00000000-0000-0000-0000-000000000000"
client-secret: "AZURE_CLIENT_SECRET"
tenant-id: "00000000-0000-0000-0000-000000000000"Using pre-command Hook
Run the Azure login in the pre-command hook instead of the environment hook:
steps:
- label: ":azure: Deploy to Azure"
command: "az account show"
plugins:
- azure-login#v1.0.1:
hook: pre-command
use-identity: trueDebug Mode
Enable verbose logging for troubleshooting:
steps:
- label: ":azure: Deploy to Azure"
command: "az account show"
env:
BUILDKITE_PLUGIN_DEBUG: "true"
plugins:
- azure-login#v1.0.1:
use-identity: trueCompatibility
| Elastic Stack | Agent Stack K8s | Hosted (Mac) | Hosted (Linux) | Notes |
|---|---|---|---|---|
| ⚠️ | ⚠️ | ⚠️ | ⚠️ | Requires Azure CLI (az) to be installed and available to the agent |
Developing
Run all tests:
docker run -it --rm -v "$PWD:/plugin:ro" buildkite/plugin-testerValidate plugin structure:
docker run -it --rm -v "$PWD:/plugin:ro" buildkite/plugin-linter --id azure-login --path /pluginRun shellcheck:
shellcheck hooks/* lib/*License
MIT License. See LICENSE for details.
nienbo 
cevoaustralia 
