Unified cloud authentication for AWS, GCP, Azure (beta), plus registry login for ECR, GAR, ACR, and any Docker Registry v2 compatible registry (GHCR, Docker Hub, Quay, etc.) — with optional Kubernetes context setup.
- 🔐 One action for AWS / GCP / Azure (beta) auth
- 🔍 Auto-detect by image (e.g.,
*.dkr.ecr.*.amazonaws.com,*.docker.pkg.dev,*.azurecr.io,ghcr.io,docker.io,quay.io) - ☸️ Kube context setup when
clusteris provided (EKS/GKE/AKS) - 🐳 Registry login for cloud registries (ECR/GAR/ACR) and standard registries (GHCR/Docker Hub/Quay/etc.)
- 📦 ECR repo ensure (optional) for AWS
- 📦 CodeArtifact package manager authentication (npm, pip, maven, gradle, etc.) for AWS
- 🔄 Works with OIDC (recommended) or keys/creds
Location model: Use a single
locationinput.
- AWS: region (e.g.,
us-east-1)- GCP: location (
us,europe,asia,us-central1, orus-central1-a)- Azure: use
azure_resource_groupfor AKS;locationis not used for Azure.
permissions:
id-token: write # for OIDC (AWS/GCP/Azure)
contents: read
packages: write # only if you'll push to GHCR
- name: Cloud login (auto)
uses: skyhook-io/cloud-login@v1
with:
image: 123456789.dkr.ecr.us-east-1.amazonaws.com/my-svc
login_to_container_registry: true
# Provide possible credentials (only the matching provider is used)
aws_role_to_assume: ${{ vars.AWS_BUILD_ROLE }}
gcp_workload_identity_provider: ${{ vars.WIF_PROVIDER }}
gcp_service_account: ${{ vars.WIF_SA }}
azure_client_id: ${{ secrets.AZURE_CLIENT_ID }}
azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }}permissions:
id-token: write
contents: read
- uses: skyhook-io/cloud-login@v1
with:
provider: aws
account: "123456789012" # AWS account ID
location: us-east-1
cluster: eks-prod
login_to_container_registry: true
# Ensure one or more repos exist (comma-separated)
repositories: backend,frontend
# Can use full ARN or just role name (ARN will be constructed automatically)
aws_role_to_assume: GitHubActionsRole # or arn:aws:iam::123456789012:role/GitHubActionsRole- uses: skyhook-io/cloud-login@v1
with:
provider: aws
location: eu-central-1
login_to_container_registry: true
repositories: my-svc
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}permissions:
id-token: write
contents: read
- uses: skyhook-io/cloud-login@v1
with:
provider: aws
location: us-east-1
aws_role_to_assume: ${{ vars.AWS_BUILD_ROLE }}
aws_codeartifact_domain: my-artifacts
aws_codeartifact_repository: npm-store
aws_codeartifact_tool: npm
aws_codeartifact_namespace: my-org # Optional: specify namespace
- name: Install dependencies
run: npm installpermissions:
id-token: write
contents: read
- uses: skyhook-io/cloud-login@v1
with:
provider: aws
location: us-east-1
aws_role_to_assume: ${{ vars.AWS_BUILD_ROLE }}
aws_codeartifact_domain: my-artifacts
aws_codeartifact_repository: maven-repo
aws_codeartifact_tool: maven
aws_codeartifact_namespace: com.mycompany # Optional: specify namespace
- name: Build with Maven
run: mvn clean installNote: For Maven/Gradle, configure your settings.xml or build.gradle to use the CODEARTIFACT_AUTH_TOKEN and CODEARTIFACT_REPO_URL environment variables. See login-aws README for detailed configuration examples.
permissions:
id-token: write
contents: read
- uses: skyhook-io/cloud-login@v1
with:
provider: gcp
account: my-project
location: us-central1
cluster: gke-prod
login_to_container_registry: true
gcp_workload_identity_provider: ${{ vars.WIF_PROVIDER }}
gcp_service_account: ${{ vars.WIF_SA }}permissions:
id-token: write
contents: read
- uses: skyhook-io/cloud-login@v1
with:
provider: azure
account: ${{ vars.AZURE_SUBSCRIPTION_ID }} # or set azure_subscription_id
azure_resource_group: my-rg
cluster: aks-prod
login_to_container_registry: true
acr_registry: myacrname
azure_client_id: ${{ secrets.AZURE_CLIENT_ID }}
azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }}permissions:
id-token: write
contents: read
packages: write
- uses: skyhook-io/cloud-login@v1
with:
provider: github
login_to_container_registry: true
# github_token defaults to GITHUB_TOKEN- uses: skyhook-io/cloud-login@v1
with:
provider: dockerhub
login_to_container_registry: true
dockerhub_username: ${{ secrets.DOCKERHUB_USERNAME }}
dockerhub_token: ${{ secrets.DOCKERHUB_TOKEN }}- uses: skyhook-io/cloud-login@v1
with:
provider: quay
login_to_container_registry: true
quay_username: ${{ secrets.QUAY_USERNAME }} # e.g., myorg+robot
quay_token: ${{ secrets.QUAY_TOKEN }}# Preferred: Use generic registry_* inputs for any Docker Registry v2 compatible registry
- uses: skyhook-io/cloud-login@v1
with:
login_to_container_registry: true
registry_server: registry.example.com
registry_username: ${{ secrets.REGISTRY_USERNAME }}
registry_password: ${{ secrets.REGISTRY_PASSWORD }}| Input | Description | Required When |
|---|---|---|
image |
Image URL to auto-detect provider/account/location/registry | If you prefer auto-detect |
provider |
One of aws, gcp, azure, github, dockerhub, quay, registry |
If not using image |
account |
AWS account ID / GCP project ID / Azure subscription ID | GCP with GKE or GAR; Azure; optional for AWS (resolved via STS) |
location |
AWS: region. GCP: location (us, europe, asia, us-central1, us-central1-a). |
AWS/GCP when cluster or registry login is used |
cluster |
Kubernetes cluster name (EKS/GKE/AKS) | If you want kubecontext configured |
login_to_container_registry |
true/false (default false) |
If you want registry login |
repositories |
AWS ECR repos to ensure exist (comma-separated) | Optional (AWS only) |
acr_registry |
Azure ACR name (e.g., myacrname) |
Required if Azure + registry login |
AWS auth
aws_role_to_assume - IAM role ARN or role name (recommended OIDC method)
- Can be a full ARN:
arn:aws:iam::123456789012:role/GitHubActionsRole - Or just the role name:
GitHubActionsRole(requiresaccountto be set)aws_access_key_id+aws_secret_access_key- Alternative auth method Optional:aws_session_duration(default3600)
AWS CodeArtifact (package manager authentication)
aws_codeartifact_domain - Domain name
aws_codeartifact_repository - Repository name
aws_codeartifact_tool - Tool to configure (npm, pip, twine, dotnet, nuget, swift, maven, gradle)
Optional: aws_codeartifact_region (defaults to location), aws_codeartifact_domain_owner (defaults to authenticated account), aws_codeartifact_duration (default 43200 = 12 hours), aws_codeartifact_namespace (namespace for the repository), aws_codeartifact_output_token (default false - set to true for Docker builds)
Note: For Maven/Gradle, this action always exports CODEARTIFACT_AUTH_TOKEN and CODEARTIFACT_REPO_URL environment variables. For other tools (npm, pip, etc.), set aws_codeartifact_output_token: 'true' to get token-based auth (useful for Docker builds). See the login-aws action README for configuration examples.
GCP auth
gcp_workload_identity_provider, gcp_service_account, or gcp_credentials_json
Azure auth
azure_client_id, azure_client_secret, azure_tenant_id (Service Principal)
Alternative: Managed Identity (via azure/login@v2 without client/secret; subscription ID still needed)
azure_subscription_id (alias for account), azure_resource_group (for AKS)
Standard Docker Registries (recommended approach)
registry_server, registry_username, registry_password - Works with any Docker Registry v2 API
Registry-specific aliases (for convenience)
github_token (defaults to GITHUB_TOKEN for GHCR)
dockerhub_username, dockerhub_token (aliases for registry_* when provider=dockerhub)
quay_username, quay_token (aliases for registry_* when provider=quay)
| Output | Description |
|---|---|
account_id |
Resolved cloud account/subscription/project (or unknown for standard registries) |
registry_url |
Base registry URL (e.g., 123456789.dkr.ecr.us-east-1.amazonaws.com, us-docker.pkg.dev/my-project, myacr.azurecr.io, quay.io) |
kubectl_context |
The current kubectl context (if cluster given) |
authenticated |
"true" if the action completed without auth errors |
- Parse (optional) — if
imageis set, auto-detect provider/account/location/repo. - Normalize & validate minimal inputs based on what you want (kubecontext, registry login).
- Prepare credentials — for AWS, automatically construct full IAM role ARN if only role name is provided (using
accountinput). - Authenticate to the cloud using OIDC (recommended) or credentials.
- Kubecontext — if
clusteris set, configure EKS/GKE/AKS context. - Registry login — if enabled, log in to cloud-native registries (ECR/GAR/ACR) or standard Docker registries (GHCR/Docker Hub/Quay/etc.); ensure ECR repos if requested.
- Outputs — emit
account_id,registry_url,kubectl_context,authenticated.
- GHCR: pushing requires
permissions: packages: write. - AWS OIDC: allow
sts:AssumeRoleWithWebIdentity; ECR login requires basic ECR permissions; repo creation needsecr:CreateRepository. - AWS CodeArtifact: requires
codeartifact:GetAuthorizationToken,codeartifact:GetRepositoryEndpoint,codeartifact:ReadFromRepository, andsts:GetServiceBearerToken(with condition forcodeartifact.amazonaws.com); publishing needscodeartifact:PublishPackageVersionandcodeartifact:PutPackageMetadata. - GCP: GAR needs
roles/artifactregistry.writer(push) orreader(pull); GKE needscontainer.clusterViewer. - Azure: ACR
AcrPull/AcrPushas needed; AKS cluster user permissions for kubecontext.
Runners should have
aws,gcloud,az, andkubectlavailable (GitHub‐hosted Ubuntu runners do).
- GAR host mismatch: Use a correct
location. Host is<location>-docker.pkg.dev(except the multi-region literalsus|europe|asia). - “Region required” errors: Provide
locationwhenever you use EKS/GKE or registry login on AWS/GCP. - Azure ACR: You must provide
acr_registry(we don’t guess).