Authenticate to Azure with service principal
This article explains how to authenticate Terraform to Azure with a service principal.
In this article, you learn how to:
- Create a service principal
- Specifying service principal credentials in environment variables
- Specify service principal credentials in a Terraform provider block
Create a service principal
If you don't have access to a service principal, continue with this section to create a new service principal. If you have a service principal you can use, skip to the section, Specify service principal credentials.
Automated tools that deploy or use Azure services - such as Terraform - should always have restricted permissions. Instead of having applications sign in as a fully privileged user, Azure offers service principals.
The most common pattern is to interactively sign in to Azure, create a service principal, test the service principal, and then use that service principal for future authentication (either interactively or from your scripts).
To create a service principal, sign in to Azure. After authenticating to Azure via a Microsoft account, return here.
If you're creating a service principal from Git Bash, set the
MSYS_NO_PATHCONV
environment variable. (This step isn't necessary if you're using Cloud Shell.)export MSYS_NO_PATHCONV=1
Key points:
- You can set the
MSYS_NO_PATHCONV
environment variable globally (for all terminal sessions) or locally (for just the current session). As creating a service principal isn't something you do often, the sample sets the value for the current session. To set this environment variable globally, add the setting to the~/.bashrc
file.
- You can set the
To create a service principal, run az ad sp create-for-rbac.
az ad sp create-for-rbac --name <service_principal_name> --role Contributor --scopes /subscriptions/<subscription_id>
Key points:
- You can replace the
<service-principal-name>
with a custom name for your environment or omit the parameter entirely. If you omit the parameter, the service principal name is generated based on the current date and time. - Upon successful completion,
az ad sp create-for-rbac
displays several values. TheappId
,password
, andtenant
values are used in the next step. - The password can't be retrieved if lost. As such, you should store your password in a safe place. If you forget your password, you can reset the service principal credentials.
- For this article, a service principal with a Contributor role is being used. For more information about Role-Based Access Control (RBAC) roles, see RBAC: Built-in roles.
- The output from creating the service principal includes sensitive credentials. Be sure that you don't include these credentials in your code or check the credentials into your source control.
- For more information about options when creating a service principal with the Azure CLI, see the article Create an Azure service principal with the Azure CLI.
- You can replace the
Specify service principal credentials
There are a couple of ways to specify your service principal credentials. However, for security reasons, we suggest not storing credentials in the provider block. That technique is shown only for completeness and testing purposes.
- Specify service principal credentials in environment variables
- Specify service principal credentials in a Terraform provider block
Specify service principal credentials in environment variables
Once you create a service principal, you can specify its credentials to Terraform via environment variables.
Edit the
~/.bashrc
file by adding the following environment variables.export ARM_SUBSCRIPTION_ID="<azure_subscription_id>" export ARM_TENANT_ID="<azure_subscription_tenant_id>" export ARM_CLIENT_ID="<service_principal_appid>" export ARM_CLIENT_SECRET="<service_principal_password>"
To execute the
~/.bashrc
script, runsource ~/.bashrc
(or its abbreviated equivalent. ~/.bashrc
). You can also exit and reopen Cloud Shell for the script to run automatically.. ~/.bashrc
Once the environment variables have been set, you can verify their values as follows:
printenv | grep ^ARM*
Key points:
- For more information about working with environment variables in Terraform HCL, see Reading and using environment variables in Terraform runs.
- Creating and applying Terraform execution plans makes changes on the Azure subscription associated with the service principal. This fact can sometimes be confusing if you're logged into one Azure subscription and the environment variables point to a second Azure subscription. Let's look at the following example to explain. Let's say you have two Azure subscriptions: SubA and SubB. If the current Azure subscription is SubA (determined via
az account show
) while the environment variables point to SubB, any changes made by Terraform are on SubB. Therefore, you would need to log in to your SubB subscription to run Azure CLI commands or Azure PowerShell commands to view your changes.
Skip to the section, Next steps
Specify service principal credentials in a Terraform provider block
Caution
The ability to specify your Azure subscription credentials in a Terraform configuration file can be convenient - especially when testing. However, it isn't advisable to store credentials in a clear-text file that can be viewed by non-trusted individuals.
The Azure provider block defines syntax that allows you to specify your Azure subscription's authentication information.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~>3.0"
}
}
}
provider "azurerm" {
features {}
subscription_id = "<azure_subscription_id>"
tenant_id = "<azure_subscription_tenant_id>"
client_id = "<service_principal_appid>"
client_secret = "<service_principal_password>"
}
# Your code goes here