I am trying to run a minimalistic terraform code in Azure functions. The terraform code will create some azure resources as part of its execution. I am trying to authenticate terraform using the user-assigned-managed-identity of Azure function app. I tried following the docs Managed Service Identity and Terraform to setup the authentication. But somehow terraform is still going to the CLI auth and asking for user credentials. I have set all the required variables as part of my terraform backend config like use_msi, client_id, subscription_id and tenant_id. The managed identity has all the permissions required to create terraform resources.

Need some pointers on how to debug the issue here. Can someone point me to the source code of terraform where its verifying MSI auth? It could give some information about any config that I might be missing.

Terraform init is running with arguments as below:

Running terraform command: init with args: () kwargs: {'no_color': None, 'backend_config': {'container_name': 'xyz', 'key': 'terraform.tfstate', 'storage_account_name': 'xyz', 'use_msi': 'true', 'client_id': '***', 'subscription_id': '***', 'tenant_id': '***', 'msi_endpoint': 'http://a.b.c.d:8081/msi/token'}}

Seeing below error.

ERROR Terraform init stderr: Error: Error building ARM Config: obtain subscription(***) from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.

I verified that the function app is able to hit the MSI endpoint. Before running terraform code, I need access to storage account to fetch some config and its able to fetch that using managed identity. I can see logs where we are hitting msi-endpoint to get the token to access storage account.

I am trying to run a minimalistic terraform code in Azure functions. The terraform code will create some azure resources as part of its execution. I am trying to authenticate terraform using the user-assigned-managed-identity of Azure function app. I tried following the docs Managed Service Identity and Terraform to setup the authentication. But somehow terraform is still going to the CLI auth and asking for user credentials. I have set all the required variables as part of my terraform backend config like use_msi, client_id, subscription_id and tenant_id. The managed identity has all the permissions required to create terraform resources.

Need some pointers on how to debug the issue here. Can someone point me to the source code of terraform where its verifying MSI auth? It could give some information about any config that I might be missing.

Terraform init is running with arguments as below:

Running terraform command: init with args: () kwargs: {'no_color': None, 'backend_config': {'container_name': 'xyz', 'key': 'terraform.tfstate', 'storage_account_name': 'xyz', 'use_msi': 'true', 'client_id': '***', 'subscription_id': '***', 'tenant_id': '***', 'msi_endpoint': 'http://a.b.c.d:8081/msi/token'}}

Seeing below error.

ERROR Terraform init stderr: Error: Error building ARM Config: obtain subscription(***) from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.

I verified that the function app is able to hit the MSI endpoint. Before running terraform code, I need access to storage account to fetch some config and its able to fetch that using managed identity. I can see logs where we are hitting msi-endpoint to get the token to access storage account.

• azure
• terraform
• terraform-provider-azure
• azure-managed-identity

• Could you please paste some repro steps/ code ? thanks – Thomas Commented Feb 7 at 10:23
• I have added (see ques) the terraform init command thats getting executed. – Harsha Chittepu Commented Feb 7 at 10:51

1 Answer 1

Authenticate terraform using Azure AD user assigned managed identity

Issue seems to be with the way you authenticate check all the environment variables provided are assigned with correct input.

As per terraform documentation the user managed identiry should also need necessary permission as with contributor level so that it will be able to provision the required.

Also check your using latest version of terraform provider so that any features missing can avoided.

Sample configuration with proper inputs:

provider "azurerm" {
  features {}
  subscription_id = "subscription_id"
}

terraform {
  backend "azurerm" {
    resource_group_name  = "vinay-rg"
    storage_account_name = "testsasdasfaspp"
    container_name       = "test"
    key                  = "terraform.tfstate"

    use_msi          = true
    client_id = "client_id"
    subscription_id     = "subscription_id"
    tenant_id           = "tenant_id"
    msi_endpoint     = "URL"
  }
}

If the issue still persists you can check the preexisting login using command

az account show

and followed by clearing them using the command

az logout

Refer:

Deploying a VM with managed identity using Terraform on Azure fails - Stack Overflow answered by jahnavi

Terraform: Error building ARM Config - Authenticating using the Azure CLI is only supported - Stack Overflow answered by quadroid