1. Packages
  2. Azure Active Directory (Azure AD)
  3. API Docs
  4. ApplicationFederatedIdentityCredential
Azure Active Directory (Azure AD) v6.4.0 published on Monday, Apr 7, 2025 by Pulumi

azuread.ApplicationFederatedIdentityCredential

Explore with Pulumi AI

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as azuread from "@pulumi/azuread";

const example = new azuread.ApplicationRegistration("example", {displayName: "example"});
const exampleApplicationFederatedIdentityCredential = new azuread.ApplicationFederatedIdentityCredential("example", {
    applicationId: example.id,
    displayName: "my-repo-deploy",
    description: "Deployments for my-repo",
    audiences: ["api://AzureADTokenExchange"],
    issuer: "https://token.actions.githubusercontent.com",
    subject: "repo:my-organization/my-repo:environment:prod",
});
Copy
import pulumi
import pulumi_azuread as azuread

example = azuread.ApplicationRegistration("example", display_name="example")
example_application_federated_identity_credential = azuread.ApplicationFederatedIdentityCredential("example",
    application_id=example.id,
    display_name="my-repo-deploy",
    description="Deployments for my-repo",
    audiences=["api://AzureADTokenExchange"],
    issuer="https://token.actions.githubusercontent.com",
    subject="repo:my-organization/my-repo:environment:prod")
Copy
package main

import (
	"github.com/pulumi/pulumi-azuread/sdk/v6/go/azuread"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := azuread.NewApplicationRegistration(ctx, "example", &azuread.ApplicationRegistrationArgs{
			DisplayName: pulumi.String("example"),
		})
		if err != nil {
			return err
		}
		_, err = azuread.NewApplicationFederatedIdentityCredential(ctx, "example", &azuread.ApplicationFederatedIdentityCredentialArgs{
			ApplicationId: example.ID(),
			DisplayName:   pulumi.String("my-repo-deploy"),
			Description:   pulumi.String("Deployments for my-repo"),
			Audiences: pulumi.StringArray{
				pulumi.String("api://AzureADTokenExchange"),
			},
			Issuer:  pulumi.String("https://token.actions.githubusercontent.com"),
			Subject: pulumi.String("repo:my-organization/my-repo:environment:prod"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AzureAD = Pulumi.AzureAD;

return await Deployment.RunAsync(() => 
{
    var example = new AzureAD.ApplicationRegistration("example", new()
    {
        DisplayName = "example",
    });

    var exampleApplicationFederatedIdentityCredential = new AzureAD.ApplicationFederatedIdentityCredential("example", new()
    {
        ApplicationId = example.Id,
        DisplayName = "my-repo-deploy",
        Description = "Deployments for my-repo",
        Audiences = new[]
        {
            "api://AzureADTokenExchange",
        },
        Issuer = "https://token.actions.githubusercontent.com",
        Subject = "repo:my-organization/my-repo:environment:prod",
    });

});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.azuread.ApplicationRegistration;
import com.pulumi.azuread.ApplicationRegistrationArgs;
import com.pulumi.azuread.ApplicationFederatedIdentityCredential;
import com.pulumi.azuread.ApplicationFederatedIdentityCredentialArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new ApplicationRegistration("example", ApplicationRegistrationArgs.builder()
            .displayName("example")
            .build());

        var exampleApplicationFederatedIdentityCredential = new ApplicationFederatedIdentityCredential("exampleApplicationFederatedIdentityCredential", ApplicationFederatedIdentityCredentialArgs.builder()
            .applicationId(example.id())
            .displayName("my-repo-deploy")
            .description("Deployments for my-repo")
            .audiences("api://AzureADTokenExchange")
            .issuer("https://token.actions.githubusercontent.com")
            .subject("repo:my-organization/my-repo:environment:prod")
            .build());

    }
}
Copy
resources:
  example:
    type: azuread:ApplicationRegistration
    properties:
      displayName: example
  exampleApplicationFederatedIdentityCredential:
    type: azuread:ApplicationFederatedIdentityCredential
    name: example
    properties:
      applicationId: ${example.id}
      displayName: my-repo-deploy
      description: Deployments for my-repo
      audiences:
        - api://AzureADTokenExchange
      issuer: https://token.actions.githubusercontent.com
      subject: repo:my-organization/my-repo:environment:prod
Copy

Create ApplicationFederatedIdentityCredential Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new ApplicationFederatedIdentityCredential(name: string, args: ApplicationFederatedIdentityCredentialArgs, opts?: CustomResourceOptions);
@overload
def ApplicationFederatedIdentityCredential(resource_name: str,
                                           args: ApplicationFederatedIdentityCredentialArgs,
                                           opts: Optional[ResourceOptions] = None)

@overload
def ApplicationFederatedIdentityCredential(resource_name: str,
                                           opts: Optional[ResourceOptions] = None,
                                           application_id: Optional[str] = None,
                                           audiences: Optional[Sequence[str]] = None,
                                           display_name: Optional[str] = None,
                                           issuer: Optional[str] = None,
                                           subject: Optional[str] = None,
                                           description: Optional[str] = None)
func NewApplicationFederatedIdentityCredential(ctx *Context, name string, args ApplicationFederatedIdentityCredentialArgs, opts ...ResourceOption) (*ApplicationFederatedIdentityCredential, error)
public ApplicationFederatedIdentityCredential(string name, ApplicationFederatedIdentityCredentialArgs args, CustomResourceOptions? opts = null)
public ApplicationFederatedIdentityCredential(String name, ApplicationFederatedIdentityCredentialArgs args)
public ApplicationFederatedIdentityCredential(String name, ApplicationFederatedIdentityCredentialArgs args, CustomResourceOptions options)
type: azuread:ApplicationFederatedIdentityCredential
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. ApplicationFederatedIdentityCredentialArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. ApplicationFederatedIdentityCredentialArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. ApplicationFederatedIdentityCredentialArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. ApplicationFederatedIdentityCredentialArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. ApplicationFederatedIdentityCredentialArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var applicationFederatedIdentityCredentialResource = new AzureAD.ApplicationFederatedIdentityCredential("applicationFederatedIdentityCredentialResource", new()
{
    ApplicationId = "string",
    Audiences = new[]
    {
        "string",
    },
    DisplayName = "string",
    Issuer = "string",
    Subject = "string",
    Description = "string",
});
Copy
example, err := azuread.NewApplicationFederatedIdentityCredential(ctx, "applicationFederatedIdentityCredentialResource", &azuread.ApplicationFederatedIdentityCredentialArgs{
	ApplicationId: pulumi.String("string"),
	Audiences: pulumi.StringArray{
		pulumi.String("string"),
	},
	DisplayName: pulumi.String("string"),
	Issuer:      pulumi.String("string"),
	Subject:     pulumi.String("string"),
	Description: pulumi.String("string"),
})
Copy
var applicationFederatedIdentityCredentialResource = new ApplicationFederatedIdentityCredential("applicationFederatedIdentityCredentialResource", ApplicationFederatedIdentityCredentialArgs.builder()
    .applicationId("string")
    .audiences("string")
    .displayName("string")
    .issuer("string")
    .subject("string")
    .description("string")
    .build());
Copy
application_federated_identity_credential_resource = azuread.ApplicationFederatedIdentityCredential("applicationFederatedIdentityCredentialResource",
    application_id="string",
    audiences=["string"],
    display_name="string",
    issuer="string",
    subject="string",
    description="string")
Copy
const applicationFederatedIdentityCredentialResource = new azuread.ApplicationFederatedIdentityCredential("applicationFederatedIdentityCredentialResource", {
    applicationId: "string",
    audiences: ["string"],
    displayName: "string",
    issuer: "string",
    subject: "string",
    description: "string",
});
Copy
type: azuread:ApplicationFederatedIdentityCredential
properties:
    applicationId: string
    audiences:
        - string
    description: string
    displayName: string
    issuer: string
    subject: string
Copy

ApplicationFederatedIdentityCredential Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The ApplicationFederatedIdentityCredential resource accepts the following input properties:

ApplicationId
This property is required.
Changes to this property will trigger replacement.
string
The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
Audiences This property is required. List<string>
List of audiences that can appear in the external token. This specifies what should be accepted in the aud claim of incoming tokens.
DisplayName
This property is required.
Changes to this property will trigger replacement.
string
A unique display name for the federated identity credential. Changing this forces a new resource to be created.
Issuer This property is required. string
The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
Subject This property is required. string
The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
Description string
A description for the federated identity credential.
ApplicationId
This property is required.
Changes to this property will trigger replacement.
string
The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
Audiences This property is required. []string
List of audiences that can appear in the external token. This specifies what should be accepted in the aud claim of incoming tokens.
DisplayName
This property is required.
Changes to this property will trigger replacement.
string
A unique display name for the federated identity credential. Changing this forces a new resource to be created.
Issuer This property is required. string
The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
Subject This property is required. string
The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
Description string
A description for the federated identity credential.
applicationId
This property is required.
Changes to this property will trigger replacement.
String
The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
audiences This property is required. List<String>
List of audiences that can appear in the external token. This specifies what should be accepted in the aud claim of incoming tokens.
displayName
This property is required.
Changes to this property will trigger replacement.
String
A unique display name for the federated identity credential. Changing this forces a new resource to be created.
issuer This property is required. String
The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
subject This property is required. String
The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
description String
A description for the federated identity credential.
applicationId
This property is required.
Changes to this property will trigger replacement.
string
The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
audiences This property is required. string[]
List of audiences that can appear in the external token. This specifies what should be accepted in the aud claim of incoming tokens.
displayName
This property is required.
Changes to this property will trigger replacement.
string
A unique display name for the federated identity credential. Changing this forces a new resource to be created.
issuer This property is required. string
The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
subject This property is required. string
The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
description string
A description for the federated identity credential.
application_id
This property is required.
Changes to this property will trigger replacement.
str
The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
audiences This property is required. Sequence[str]
List of audiences that can appear in the external token. This specifies what should be accepted in the aud claim of incoming tokens.
display_name
This property is required.
Changes to this property will trigger replacement.
str
A unique display name for the federated identity credential. Changing this forces a new resource to be created.
issuer This property is required. str
The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
subject This property is required. str
The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
description str
A description for the federated identity credential.
applicationId
This property is required.
Changes to this property will trigger replacement.
String
The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
audiences This property is required. List<String>
List of audiences that can appear in the external token. This specifies what should be accepted in the aud claim of incoming tokens.
displayName
This property is required.
Changes to this property will trigger replacement.
String
A unique display name for the federated identity credential. Changing this forces a new resource to be created.
issuer This property is required. String
The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
subject This property is required. String
The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
description String
A description for the federated identity credential.

Outputs

All input properties are implicitly available as output properties. Additionally, the ApplicationFederatedIdentityCredential resource produces the following output properties:

CredentialId string
A UUID used to uniquely identify this federated identity credential.
Id string
The provider-assigned unique ID for this managed resource.
CredentialId string
A UUID used to uniquely identify this federated identity credential.
Id string
The provider-assigned unique ID for this managed resource.
credentialId String
A UUID used to uniquely identify this federated identity credential.
id String
The provider-assigned unique ID for this managed resource.
credentialId string
A UUID used to uniquely identify this federated identity credential.
id string
The provider-assigned unique ID for this managed resource.
credential_id str
A UUID used to uniquely identify this federated identity credential.
id str
The provider-assigned unique ID for this managed resource.
credentialId String
A UUID used to uniquely identify this federated identity credential.
id String
The provider-assigned unique ID for this managed resource.

Look up Existing ApplicationFederatedIdentityCredential Resource

Get an existing ApplicationFederatedIdentityCredential resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: ApplicationFederatedIdentityCredentialState, opts?: CustomResourceOptions): ApplicationFederatedIdentityCredential
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        application_id: Optional[str] = None,
        audiences: Optional[Sequence[str]] = None,
        credential_id: Optional[str] = None,
        description: Optional[str] = None,
        display_name: Optional[str] = None,
        issuer: Optional[str] = None,
        subject: Optional[str] = None) -> ApplicationFederatedIdentityCredential
func GetApplicationFederatedIdentityCredential(ctx *Context, name string, id IDInput, state *ApplicationFederatedIdentityCredentialState, opts ...ResourceOption) (*ApplicationFederatedIdentityCredential, error)
public static ApplicationFederatedIdentityCredential Get(string name, Input<string> id, ApplicationFederatedIdentityCredentialState? state, CustomResourceOptions? opts = null)
public static ApplicationFederatedIdentityCredential get(String name, Output<String> id, ApplicationFederatedIdentityCredentialState state, CustomResourceOptions options)
resources:  _:    type: azuread:ApplicationFederatedIdentityCredential    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
ApplicationId Changes to this property will trigger replacement. string
The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
Audiences List<string>
List of audiences that can appear in the external token. This specifies what should be accepted in the aud claim of incoming tokens.
CredentialId string
A UUID used to uniquely identify this federated identity credential.
Description string
A description for the federated identity credential.
DisplayName Changes to this property will trigger replacement. string
A unique display name for the federated identity credential. Changing this forces a new resource to be created.
Issuer string
The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
Subject string
The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
ApplicationId Changes to this property will trigger replacement. string
The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
Audiences []string
List of audiences that can appear in the external token. This specifies what should be accepted in the aud claim of incoming tokens.
CredentialId string
A UUID used to uniquely identify this federated identity credential.
Description string
A description for the federated identity credential.
DisplayName Changes to this property will trigger replacement. string
A unique display name for the federated identity credential. Changing this forces a new resource to be created.
Issuer string
The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
Subject string
The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
applicationId Changes to this property will trigger replacement. String
The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
audiences List<String>
List of audiences that can appear in the external token. This specifies what should be accepted in the aud claim of incoming tokens.
credentialId String
A UUID used to uniquely identify this federated identity credential.
description String
A description for the federated identity credential.
displayName Changes to this property will trigger replacement. String
A unique display name for the federated identity credential. Changing this forces a new resource to be created.
issuer String
The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
subject String
The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
applicationId Changes to this property will trigger replacement. string
The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
audiences string[]
List of audiences that can appear in the external token. This specifies what should be accepted in the aud claim of incoming tokens.
credentialId string
A UUID used to uniquely identify this federated identity credential.
description string
A description for the federated identity credential.
displayName Changes to this property will trigger replacement. string
A unique display name for the federated identity credential. Changing this forces a new resource to be created.
issuer string
The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
subject string
The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
application_id Changes to this property will trigger replacement. str
The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
audiences Sequence[str]
List of audiences that can appear in the external token. This specifies what should be accepted in the aud claim of incoming tokens.
credential_id str
A UUID used to uniquely identify this federated identity credential.
description str
A description for the federated identity credential.
display_name Changes to this property will trigger replacement. str
A unique display name for the federated identity credential. Changing this forces a new resource to be created.
issuer str
The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
subject str
The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.
applicationId Changes to this property will trigger replacement. String
The resource ID of the application for which this federated identity credential should be created. Changing this field forces a new resource to be created.
audiences List<String>
List of audiences that can appear in the external token. This specifies what should be accepted in the aud claim of incoming tokens.
credentialId String
A UUID used to uniquely identify this federated identity credential.
description String
A description for the federated identity credential.
displayName Changes to this property will trigger replacement. String
A unique display name for the federated identity credential. Changing this forces a new resource to be created.
issuer String
The URL of the external identity provider, which must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app.
subject String
The identifier of the external software workload within the external identity provider. The combination of issuer and subject must be unique on the app.

Import

Federated Identity Credentials can be imported using the object ID of the associated application and the ID of the federated identity credential, e.g.

$ pulumi import azuread:index/applicationFederatedIdentityCredential:ApplicationFederatedIdentityCredential example 00000000-0000-0000-0000-000000000000/federatedIdentityCredential/11111111-1111-1111-1111-111111111111
Copy

-> This ID format is unique to Terraform and is composed of the application’s object ID, the string “federatedIdentityCredential” and the credential ID in the format {ObjectId}/federatedIdentityCredential/{CredentialId}.

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
Azure Active Directory (Azure AD) pulumi/pulumi-azuread
License
Apache-2.0
Notes
This Pulumi package is based on the azuread Terraform Provider.