login: Error: Az CLI Login failed. Please check the credentials and make sure az is installed on the runner.

Hi, I also commented on a closed issue https://github.com/Azure/login/issues/203. This issue is not fixed for me in @1.4.3 (and not working with @v1 reference either). Error is exactly the same as in the first message.

  1. Credentials are for sure working fine, executed az login --service-principal -u <xx> --tenant <xx> -p <xx> postfixed with az account set --subscription <xx> locally using the same creds which is in my repo secrets, cli login performed successfully
  2. Attaching debug logs of workflow execution here (the main point was to find out az cli version for local comparison) azure-cli-workflow-run.txt

Please advise! Thanks

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 51 (12 by maintainers)

Most upvoted comments

FWIW, I hit the same problem and struggled through it, following various bits and pieces of what I read in this bug and this one as well. The root cause for me was that the JSON that you paste into the GitHub “repository secret” MUST have the keys exactly as shown:

{ “clientId”: “AAA”, “clientSecret”: “BBB”, “tenantId”: “CCC”, “subscriptionId”: “DDD” }

not sure if the order matters (probably not), but originally the output of the service principal that I created had a different set of keys - e.g.:

{ “appId”: “AAA”, “name”: “BBB”, “password”: “CCC”, “tenant”: “DDD” }

so, I “transformed” the JSON - removed “name”, added “subscriptionId”, and changed the names of the other three keys - and it is working for me now.

This way helps me to solve this problem. Hope it will help. https://github.com/marketplace/actions/azure-login#configure-a-service-principal-with-a-secret

  - uses: azure/login@v1
      creds: '{"clientId":"${{ secrets.CLIENT_ID }}","clientSecret":"${{ secrets.CLIENT_SECRET }}","subscriptionId":"${{ secrets.SUBSCRIPTION_ID }}","tenantId":"${{ secrets.TENANT_ID }}"}'
      allow-no-subscriptions: true

For me, the problem was that I was testing locally with act which doesn’t have the Azure CLI installed as opposed to Ubuntu based GitHub Shared Runners. In such cases, simply install Azure CLI beforehand.

Just an update: changing the “uses” to “azure/actions/login@v1” seems to work, but I’m not sure why. This still seems like a bug to me.


@BALAGA-GAYATRI thanks. yes, creating a new service principal via “az ad sp create-for-rbac” with the --sdk-auth option will output the correct keys. In my case, I was using an existing service principal and did not want to generate a new one, so just pointing out how I got that to work for me.

@roalexan This is due to the removal of --sdk-auth in your rbac command for SPN creation. When you add that flag ,your problem should be solved. In order to avoid this confusion for the users, we have documented it here. Do let us know if that works.

Also try changing the resource group, subscription (create a new one may be) and change the SPN name also and see if it works. I just created new credentials and tested with both 2.34.1 and 2.33.1 CLI and both are working for me with azure/login@v1 .

@mikhail-teslya We are working on the issue and keep you posted. Changed the label to bug

Yes, everything is working here, just telling to the author maybe he did the same mistake.


I had the same problem I just ran it from my repo and the exception is: Error: Not all values are present in the credentials. Ensure clientId, clientSecret and tenantId are supplied.

But the JSON output from az ad sp create-for-rbac had the following keys:

  "appId": ...
  "displayName": ...,
  "name": ...,
  "password": ...,
  "tenant": ...

In my case I just forgot to add the arg--sdk-auth on az ad sp create-for-rbac