search
githubEdit

Service Principal in env

Once you create a service principal, you can specify its credentials to Terraform via environment variables.

To securely authenticate Terraform to Azure, export your Service Principal credentials as environment variables. This is the recommended approach for automation, CI/CD, and cross-platform workflows (Linux, macOS, WSL, PowerShell).

hashtag
Bash/Linux/WSL: Set Environment Variables

  1. Add the following to your ~/.bashrc or ~/.zshrc:

    export ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
export ARM_TENANT_ID="<azure_subscription_tenant_id>"
export ARM_CLIENT_ID="<service_principal_appid>"
export ARM_CLIENT_SECRET="<service_principal_password>"

  2. Reload your shell configuration:

    source ~/.bashrc
# or for zsh
source ~/.zshrc

  3. Verify the environment variables:

    printenv | grep ^ARM

hashtag
PowerShell: Set Environment Variables

  1. Set variables for the current session:

    $env:ARM_CLIENT_ID="<service_principal_app_id>"
$env:ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
$env:ARM_TENANT_ID="<azure_subscription_tenant_id>"
$env:ARM_CLIENT_SECRET="<service_principal_password>"

  2. Verify the variables:

    Get-ChildItem env:ARM_*

  3. Persist variables for all sessions: Add the export lines to your PowerShell profilearrow-up-right.

hashtag
Real-Life DevOps Example: GitHub Actions

Store your Service Principal credentials as GitHub Actions secrets, then use them in your workflow:

hashtag
Best Practices

  • Never hardcode credentials in your Terraform code or repository

  • Use environment variables or secret managers for sensitive values

  • Rotate Service Principal credentials regularly

  • Grant only the minimum RBAC permissions needed

hashtag
References

Tip: For passwordless authentication in CI/CD, consider using OIDC with GitHub Actions or Azure Pipelines.

hashtag
Add to SUMMARY.md

PreviousService Principal in blockNextAWS Scenarios

Last updated