Terraform supports a number of different methods for authenticating to Azure:
We recommend using either a Service Principal or Managed Identity when running Terraform non-interactively (such as when running Terraform in a CI server) - and authenticating using the Azure CLI when running Terraform locally.
az
CLI (and this must be available on your PATH) - authenticating using the older azure
CLI or PowerShell Az / AzureRM Cmdlets is not supported.az login --service-principal
was not supported and it was necessary to use either a Client Secret or a Client Certificate. From 2.35 upwards, authenticating via the Azure CLI is supported when using a Service Principal or Managed Identity. However, we still recommend using native provider support for Service Principal or Managed Identity authentication wherever possible.Firstly, login to the Azure CLI using a User, Service Principal or Managed Identity.
User Account:
az login --allow-no-subscriptions
Service Principal with a Secret:
az login --service-principal \
--username 00000000-0000-0000-0000-000000000000 \
--password "MyCl1eNtSeCr3t" \
--tenant 10000000-2000-3000-4000-500000000000 \
--allow-no-subscriptions
Service Principal with a Certificate:
az login --service-principal \
--username 00000000-0000-0000-0000-000000000000 \
--password /path/to/certificate \
--tenant 10000000-2000-3000-4000-500000000000 \
--allow-no-subscriptions
Service Principal with Open ID Connect (for use in CI / CD):
az login --service-principal \
--username 00000000-0000-0000-0000-000000000000 \
--tenant 10000000-2000-3000-4000-500000000000 \
--allow-no-subscriptions
Managed Identity:
az login --identity --allow-no-subscriptions
or
az login --identity \
--username 00000000-0000-0000-0000-000000000000 \
--allow-no-subscriptions
The --allow-no-subscriptions
argument enables access to tenants that have no linked subscriptions, in addition to tenants that do.
Once logged in - it's possible to list the Subscriptions and Tenants associated with the account via:
$ az account list -o table --all --query "[].{TenantID: tenantId, Subscription: name, Default: isDefault}"
The output (similar to below) will display one or more Tenants and/or Subscriptions.
TenantID Subscription Default
------------------------------------ ----------------------------------- ---------
00000000-0000-1111-1111-111111111111 N/A(tenant level account) False
00000000-0000-2222-2222-222222222222 N/A(tenant level account) False
00000000-0000-1111-1111-111111111111 My Subscription True
00000000-0000-1111-1111-111111111111 My Other Subscription False
Each entry shown is referred to as an Azure CLI account
, which represents either a subscription with its linked tenant, or a tenant without any accessible subscriptions (Azure CLI does not show tenant names or domains). The provider will select the tenant ID from your default Azure CLI account. If you have more than one tenant listed in the output of az account list
, for example if you are a guest user in other tenants, you can specify the tenant to use.
# sh
export ARM_TENANT_ID=00000000-0000-2222-2222-222222222222
# PowerShell
$env:ARM_TENANT_ID = 00000000-0000-2222-2222-222222222222
You can also configure the tenant ID from within the provider block.
provider "azuread" {
tenant_id = "00000000-0000-2222-2222-222222222222"
}
Alternatively, you can configure the Azure CLI to default to the tenant you are managing with Terraform.
$ az login --allow-no-subscriptions --tenant "TENANT_ID_OR_DOMAIN"
No specific configuration is required for the provider to use Azure CLI authentication. If you're looking to use Terraform across Tenants - it's possible to do this by configuring the tenant_id
field in the Provider block, as shown below:
provider "azuread" {
tenant_id = "00000000-0000-1111-1111-111111111111"
}
More information on the fields supported in the Provider block can be found here.
At this point running either terraform plan
or terraform apply
should allow Terraform to run using the Azure CLI to authenticate.
For compatibility reasons and to ensure a positive user experience when running Terraform interactively, Azure CLI authentication is enabled by default. It's possible to disable authentication using Azure CLI, which you may wish to do in automated environments such as CI/CD pipelines or when scripting operations with Terraform.
To do so, add the use_cli
configuration property in the Provider block.
provider "azuread" {
use_cli = false
}
Alternatively, you can set the ARM_USE_CLI
environment variable.
# sh
export ARM_USE_CLI=false
# PowerShell
$env:ARM_USE_CLI = false