Azure Authetication
To use Terraform commands against your Azure subscription, you must first authenticate Terraform to that subscription. This article covers common DevOps scenarios for authenticating to Azure securely
To use Terraform with Azure, you must authenticate Terraform to your Azure subscription. The recommended approach for automation and CI/CD is to use a Service Principal with RBAC. Below are step-by-step instructions for both Bash (Azure CLI) and PowerShell workflows, with real-life DevOps tips.
Bash (Azure CLI): Create a Service Principal for Terraform
Sign in to Azure:
az login
(If using Git Bash on Windows) set the environment variable to avoid path conversion issues:
export MSYS_NO_PATHCONV=1
Tip: Add this to your
~/.bashrc
for persistent use.Create a Service Principal with Contributor role:
az ad sp create-for-rbac --name <service_principal_name> --role Contributor --scopes /subscriptions/<subscription_id>
Replace
<service_principal_name>
and<subscription_id>
as needed.The output will include
appId
,password
, andtenant
—store these securely (e.g., Azure Key Vault, GitHub Actions secrets).
Best Practice: Never commit credentials to source control. Use environment variables or secret managers in CI/CD.
Configure Terraform to use the Service Principal: Add these variables to your environment or your CI/CD pipeline:
export ARM_CLIENT_ID="<appId>" export ARM_CLIENT_SECRET="<password>" export ARM_SUBSCRIPTION_ID="<subscription_id>" export ARM_TENANT_ID="<tenant>"
Or use a Terraform provider block:
provider "azurerm" { features {} client_id = var.client_id client_secret = var.client_secret subscription_id = var.subscription_id tenant_id = var.tenant_id }
PowerShell: Create a Service Principal for Terraform
Open a PowerShell prompt and sign in:
Connect-AzAccount
Check your current subscription:
Get-AzContext
List all available subscriptions:
Get-AzSubscription
Set the active subscription (if needed):
Set-AzContext -Subscription "<subscription_id_or_subscription_name>"
Create a Service Principal with Contributor role:
$sp = New-AzADServicePrincipal -DisplayName <service_principal_name> -Role "Contributor" $appId = $sp.AppId $password = $sp.PasswordCredentials.SecretText $tenantId = (Get-AzContext).Tenant.Id
Store
$appId
,$password
, and$tenantId
securely for use in Terraform.
Real-Life DevOps Example: GitHub Actions with Azure
Store your Service Principal credentials as GitHub Actions secrets, then use them in your workflow:
jobs:
terraform:
runs-on: ubuntu-latest
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- run: terraform init
- run: terraform apply -auto-approve
Best Practices
Use a dedicated Service Principal per environment (dev, staging, prod)
Grant only the minimum RBAC permissions needed
Store credentials in a secure secret manager (Azure Key Vault, GitHub/Azure DevOps secrets)
Rotate Service Principal credentials regularly
Never commit credentials to source control
References
Tip: For fully automated pipelines, use Terraform Cloud or GitHub Actions with OIDC for passwordless authentication to Azure.
Last updated