How to use cosign with Azure Key Vault for container image signing in GitHub Actions workflow

ameliat · July 11, 2025, 1:04pm

I’m trying to set up automated signing for my container images using cosign and Azure Key Vault in my GitHub Actions pipeline. On my development machine, everything works fine when I run the signing command locally.

The local command that works:

cosign sign --key azurekms://mystore.vault.azure.net/signing-key mycontainer

However, when I try to run the same process in GitHub Actions, I get authentication errors. My workflow successfully authenticates with Azure using OIDC and I can list keys from the vault, but cosign fails with a token refresh error.

Here’s the error I’m getting:

cosign sign --key azurekms://MyStore.vault.azure.net/SigningKey mycontainer@digest
Error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token
StatusCode=400 -- Original Error: adal: Refresh request failed
Response body: {"error":"invalid_request","error_description":"Identity not found"}

My GitHub Actions workflow looks like this:

name: Build-and-Sign
on:
  push:

permissions:
  id-token: write
  contents: read
  packages: write

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Get code
        uses: actions/checkout@v3

      - name: Setup cosign
        uses: sigstore/cosign-installer@v3

      - name: Configure Docker buildx
        uses: docker/setup-buildx-action@v2

      - name: Docker Hub login
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}

      - name: Azure authentication
        uses: azure/login@v1
        with:
          client-id: ${{ secrets.CLIENT_ID }}
          tenant-id: ${{ secrets.TENANT_ID }}
          subscription-id: ${{ secrets.SUBSCRIPTION_ID }}

      - name: Create and push image
        id: build-step
        uses: docker/build-push-action@v4
        with:
          tags: ${{ github.actor }}/mycontainer:${{ github.ref_name }}

      - name: Sign container image
        run: |
          # This works fine
          az keyvault key list --id {{ secrets.KEY_VAULT_URI }}
          # This fails
          cosign sign --key ${{ secrets.KEY_VAULT_URI }} ${{ github.actor }}/mycontainer@${{ github.ref_name }}

I’ve tried both service principal authentication with secrets and OIDC federated credentials, but both approaches give the same result. The Azure CLI commands work perfectly, but cosign cannot authenticate properly. Has anyone solved this issue before?

ClimbingLion · July 23, 2025, 6:57am

Had the same issue last month. Cosign uses a different auth flow than Azure CLI - it needs AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID set as env vars explicitly. Try adding those environment variables to your signing step even tho you already ran azure login.

ameliat · July 27, 2025, 6:57am

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.