Terraform authenticating to azure by service principal and client secret

bizimunda
November 24, 2022
57 views
1 vote
2 Answers

Whenever I run terraform plan command I have to put client id, secret id, tenant id and subscription id manually.

Here is my setup

I have set env variables in my .zprofile

export ARM_SUBSCRIPTION_ID=*********
export ARM_CLIENT_ID=*********
export ARM_CLIENT_SECRET=*********
export ARM_TENANT_ID=*********

if I want to see them echo $ARM_SUBSCRIPTION_ID it does print out its value

In my providers.tf file this is the code

# Configuration options
provider "azurerm" {
  subscription_id = var.SUBSCRIPTION_ID
  client_id       = var.CLIENT_ID
  client_secret   = var.CLIENT_SECRET
  tenant_id       = var.TENANT_ID
  features {

  }

}

And in my variables.tf file the code looks like this

variable "SUBSCRIPTION_ID" {
  
}

variable "CLIENT_ID" {
  
}

variable "CLIENT_SECRET" {
  
}

variable "TENANT_ID" {
  
}

so when I run terraform plan commands the terminal prompts me to put all ids manually.

Answers

Chosen as BEST ANSWER
- bizimunda
- December 15, 2022 at 12:04 pm
- 0 votes
0
So finally I have found the solution.

If you have multiple subscriptions of Azure (you are working for multiple clients) then the first thing is that you need to check which is your current subscription. Run this command to check all subscriptions
```
az account tenant list
```
and run this command to change switch your subscription
```
az login --tenant <myTenantID>
```
and now you can run any Azure cli command and changes will be reflected on your current subscription

(Edit)

- Jahnavi
- November 26, 2022 at 10:04 am
- 0 votes
0
Authenticating to azure by service principal and client secret using terraform:

I tried to authenticate with AzureAD service principal in my environment after finding a workaround and was able to perform it successfully.

I’ve setup env variables in azCLI as shown here:
```
export ARM_SUBSCRIPTION_ID="<subscription_id>"
export ARM_CLIENT_ID="<client_id>"
export ARM_TENANT_ID="<tenant_id>"
export ARM_CLIENT_SECRET="<client_secret>"
```
To authenticate service principal, we need to give some role permissions and API Permissions as well.

Required Permissions to enable:

Goto Roles and Administrators under Azure Active Directory through portal. There are certain administrator positions that come with default configuration. Actively enable the roles of "Application Administrator, Global Administrator, and User Administrator".

and

Goto API permissions under registered App registration and add application permissions for microsoft graph as its the main source to authenticate to Portal and enable below given permissions by clicking on Add permission.

App registration:

To check, I created a resource group and applying a dev tag for it after successful authentication.

Provider.tf
```
variable "client_secret" {}
terraform {
  required_providers {
    azuread = {
      source = "hashicorp/azuread"
      version = "2.30.0" //Give the latest version
    }
  }
}
provider "azurerm"{
features{}
}

provider "azuread" {
  subscription_id = "<subscription_id>"
  client_id     = "<client_id>"
  client_secret = var.client_secret
  tenant_id     = "<tenant_id>"
  features{}
}
resource "azurerm_resource_group" "t_rg" {
  name     = "<resourcegroupName>"
  location = "<location>"

  tags = {
    Environment = "Dev"
  }
}
```
Executed terraform init:

After setting up everything, I executed terraform plan, it is asking for client_secret only not client_id:

Executed Terraform apply:

Authenticated & deployed successfully in Portal:

Applied tags successfully for resourcegroup as given:
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.