Introduction

ArgoCD CLI requires authentication before you can manage applications. In interactive mode, argocd login prompts for credentials, but CI/CD pipelines like GitHub Actions run without human input. To log in non-interactively, use either an auth token with the --auth-token flag or pass --username/--password directly. The token-based approach is recommended because it avoids storing passwords and supports scoped permissions through ArgoCD API keys or project tokens.

Method 1: Auth Token (Recommended)

Generate an API token in ArgoCD and use it for headless login:

1# Generate a token for an ArgoCD account (run once, locally)
2argocd account generate-token --account ci-bot
3
4# Or create a project-scoped token
5argocd proj role create-token my-project ci-role

Use the token in CI:

1# Login with auth token — no interactive prompt
2argocd login argocd.example.com \
3  --auth-token "$ARGOCD_TOKEN" \
4  --grpc-web \
5  --insecure  # Only if using self-signed certs

The --grpc-web flag is needed when ArgoCD is behind an ingress that does not support HTTP/2 (gRPC). The --insecure flag skips TLS verification — use it only for self-signed certificates or in private networks.

Method 2: Username and Password

1argocd login argocd.example.com \
2  --username admin \
3  --password "$ARGOCD_PASSWORD" \
4  --grpc-web \
5  --insecure

This works but requires storing the admin password as a secret, which is less secure than a scoped API token.

Method 3: ARGOCD_AUTH_TOKEN Environment Variable

Instead of passing --auth-token to every command, set the environment variable:

1export ARGOCD_AUTH_TOKEN="$ARGOCD_TOKEN"
2
3# Now all argocd commands authenticate automatically
4argocd app list
5argocd app sync my-app

This is the cleanest approach for CI pipelines with multiple ArgoCD commands.

GitHub Actions Workflow

1name: Deploy via ArgoCD
2on:
3  push:
4    branches: [main]
5
6jobs:
7  deploy:
8    runs-on: ubuntu-latest
9    steps:
10      - name: Checkout code
11        uses: actions/checkout@v4
12
13      - name: Install ArgoCD CLI
14        run: |
15          curl -sSL -o argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
16          chmod +x argocd
17          sudo mv argocd /usr/local/bin/
18
19      - name: Login to ArgoCD
20        env:
21          ARGOCD_AUTH_TOKEN: ${{ secrets.ARGOCD_TOKEN }}
22        run: |
23          argocd login argocd.example.com \
24            --auth-token "$ARGOCD_AUTH_TOKEN" \
25            --grpc-web
26
27      - name: Sync application
28        run: |
29          argocd app sync my-app --prune
30          argocd app wait my-app --health

Store ARGOCD_TOKEN in GitHub repository secrets: Settings > Secrets and variables > Actions > New repository secret.

Creating a Dedicated CI Account

Create a separate ArgoCD account for CI instead of using admin:

# Edit the argocd-cm ConfigMap
kubectl edit configmap argocd-cm -n argocd

Add the account:

data:
  accounts.ci-bot: apiKey, login
  accounts.ci-bot.enabled: "true"

Set RBAC permissions:

# Edit argocd-rbac-cm ConfigMap
kubectl edit configmap argocd-rbac-cm -n argocd

1data:
2  policy.csv: |
3    p, role:ci, applications, sync, */*, allow
4    p, role:ci, applications, get, */*, allow
5    g, ci-bot, role:ci

Generate the token:

argocd account generate-token --account ci-bot

This token can only sync and view applications — it cannot modify ArgoCD settings.

GitLab CI Example

1deploy:
2  stage: deploy
3  image: argoproj/argocd:latest
4  variables:
5    ARGOCD_SERVER: argocd.example.com
6  script:
7    - argocd login "$ARGOCD_SERVER"
8        --auth-token "$ARGOCD_TOKEN"
9        --grpc-web
10    - argocd app sync my-app --prune
11    - argocd app wait my-app --health --timeout 300
12  only:
13    - main

Store ARGOCD_TOKEN in GitLab CI/CD variables (Settings > CI/CD > Variables, masked).

Using argocd app actions Without Full Login

For simple sync operations, you can skip the login step entirely and pass the server and token with each command:

1argocd app sync my-app \
2  --server argocd.example.com \
3  --auth-token "$ARGOCD_TOKEN" \
4  --grpc-web

This is useful for one-off commands but verbose for workflows with multiple commands.

Common Pitfalls

• Forgetting --grpc-web behind an ingress: ArgoCD uses gRPC (HTTP/2). Most ingress controllers (nginx, Traefik) do not pass gRPC through by default. Without --grpc-web, the CLI hangs or returns connection errors. Add --grpc-web to use HTTP/1.1 web transport.
• Using --insecure in production: This flag disables TLS certificate verification, making the connection vulnerable to man-in-the-middle attacks. Configure proper TLS certificates and omit --insecure in production environments.
• Storing the admin password as a CI secret: The admin account has full access to ArgoCD. Create a dedicated CI account with minimal RBAC permissions and generate a scoped API token instead.
• Token expiration: ArgoCD tokens can be configured with an expiration time. If your CI pipeline fails with "token is expired," generate a new token or set a longer expiration: argocd account generate-token --account ci-bot --expires-in 0 (0 = no expiration).
• Port mismatch: ArgoCD server listens on port 443 (HTTPS) by default. If your server is on a non-standard port (e.g., 8080), specify it: argocd login argocd.example.com:8080. Omitting the port causes connection refused errors.

Summary

• Use --auth-token with a scoped API token for non-interactive CI login (most secure)
• Set ARGOCD_AUTH_TOKEN as an environment variable to avoid passing the token to every command
• Always add --grpc-web when ArgoCD is behind a standard HTTP ingress
• Create a dedicated CI account with minimal RBAC permissions instead of using admin
• Store tokens in CI platform secrets (GitHub Secrets, GitLab CI Variables)
• Use argocd app wait --health after sync to ensure the deployment succeeds before the pipeline exits