Azure Authetication

To use Terraform commands against your Azure subscription, you must first authenticate Terraform to that subscription. This article covers common DevOps scenarios for authenticating to Azure securely

To use Terraform with Azure, you must authenticate Terraform to your Azure subscription. The recommended approach for automation and CI/CD is to use a Service Principal with RBAC. Below are step-by-step instructions for both Bash (Azure CLI) and PowerShell workflows, with real-life DevOps tips.

Bash (Azure CLI): Create a Service Principal for Terraform

Sign in to Azure:
```
az login
```
(If using Git Bash on Windows) set the environment variable to avoid path conversion issues:
```
export MSYS_NO_PATHCONV=1
```
Tip: Add this to your ~/.bashrc for persistent use.
Create a Service Principal with Contributor role:
```
az ad sp create-for-rbac --name <service_principal_name> --role Contributor --scopes /subscriptions/<subscription_id>
```
- Replace <service_principal_name> and <subscription_id> as needed.
- The output will include appId, password, and tenant—store these securely (e.g., Azure Key Vault, GitHub Actions secrets).
Best Practice: Never commit credentials to source control. Use environment variables or secret managers in CI/CD.

Configure Terraform to use the Service Principal: Add these variables to your environment or your CI/CD pipeline:

export ARM_CLIENT_ID="<appId>"
export ARM_CLIENT_SECRET="<password>"
export ARM_SUBSCRIPTION_ID="<subscription_id>"
export ARM_TENANT_ID="<tenant>"

Or use a Terraform provider block:

provider "azurerm" {
  features {}
  client_id       = var.client_id
  client_secret   = var.client_secret
  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id
}

PowerShell: Create a Service Principal for Terraform

Open a PowerShell prompt and sign in:
```
Connect-AzAccount
```
Check your current subscription:
```
Get-AzContext
```
List all available subscriptions:
```
Get-AzSubscription
```

Set the active subscription (if needed):

Set-AzContext -Subscription "<subscription_id_or_subscription_name>"

Create a Service Principal with Contributor role:

$sp = New-AzADServicePrincipal -DisplayName <service_principal_name> -Role "Contributor"
$appId = $sp.AppId
$password = $sp.PasswordCredentials.SecretText
$tenantId = (Get-AzContext).Tenant.Id

Store $appId, $password, and $tenantId securely for use in Terraform.

Real-Life DevOps Example: GitHub Actions with Azure

Store your Service Principal credentials as GitHub Actions secrets, then use them in your workflow:

jobs:
  terraform:
    runs-on: ubuntu-latest
    env:
      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
      ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
      ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      - run: terraform init
      - run: terraform apply -auto-approve

Best Practices

Use a dedicated Service Principal per environment (dev, staging, prod)
Grant only the minimum RBAC permissions needed
Store credentials in a secure secret manager (Azure Key Vault, GitHub/Azure DevOps secrets)
Rotate Service Principal credentials regularly
Never commit credentials to source control

References

Tip: For fully automated pipelines, use Terraform Cloud or GitHub Actions with OIDC for passwordless authentication to Azure.

PreviousAzure Scenarios NextService Principal

Last updated 1 month ago