Service Principal in env
Once you create a service principal, you can specify its credentials to Terraform via environment variables.
To securely authenticate Terraform to Azure, export your Service Principal credentials as environment variables. This is the recommended approach for automation, CI/CD, and cross-platform workflows (Linux, macOS, WSL, PowerShell).
Bash/Linux/WSL: Set Environment Variables
Add the following to your
~/.bashrc
or~/.zshrc
:export ARM_SUBSCRIPTION_ID="<azure_subscription_id>" export ARM_TENANT_ID="<azure_subscription_tenant_id>" export ARM_CLIENT_ID="<service_principal_appid>" export ARM_CLIENT_SECRET="<service_principal_password>"
Reload your shell configuration:
source ~/.bashrc # or for zsh source ~/.zshrc
Verify the environment variables:
printenv | grep ^ARM
PowerShell: Set Environment Variables
Set variables for the current session:
$env:ARM_CLIENT_ID="<service_principal_app_id>" $env:ARM_SUBSCRIPTION_ID="<azure_subscription_id>" $env:ARM_TENANT_ID="<azure_subscription_tenant_id>" $env:ARM_CLIENT_SECRET="<service_principal_password>"
Verify the variables:
Get-ChildItem env:ARM_*
Persist variables for all sessions: Add the export lines to your PowerShell profile.
Real-Life DevOps Example: GitHub Actions
Store your Service Principal credentials as GitHub Actions secrets, then use them in your workflow:
jobs:
terraform:
runs-on: ubuntu-latest
env:
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
steps:
- uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
- run: terraform init
- run: terraform apply -auto-approve
Best Practices
Never hardcode credentials in your Terraform code or repository
Use environment variables or secret managers for sensitive values
Rotate Service Principal credentials regularly
Grant only the minimum RBAC permissions needed
References
Tip: For passwordless authentication in CI/CD, consider using OIDC with GitHub Actions or Azure Pipelines.
Add to SUMMARY.md
- [Specify Service Principal Credentials in Environment Variables](pages/terraform/authenticate-terraform-to-azure/specify-service-principal-credentials-in-environment-variables.md)
Last updated