DevOps help for Azure Platform Engineers

Authenticate Terraform to Azure

To use Terraform commands against your Azure subscription, you must first authenticate Terraform to that subscription. This article covers some common scenarios for authenticating to Azure.

PreviousAzure NextSpecify service principal credentials in environment variables

Last updated 1 year ago

Authenticate Terraform to Azure

To use Terraform commands against your Azure subscription, you must first authenticate Terraform to that subscription. This article covers some common scenarios for authenticating to Azure.

Using bash:

To create a service principal, sign in to Azure. A
If you're creating a service principal from Git Bash, set the MSYS_NO_PATHCONV environment variable. (This step isn't necessary if you're using Cloud Shell.)
BashCopy
```
export MSYS_NO_PATHCONV=1    
```
Key points:
- You can set the MSYS_NO_PATHCONV environment variable globally (for all terminal sessions) or locally (for just the current session). As creating a service principal isn't something you do often, the sample sets the value for the current session. To set this environment variable globally, add the setting to the ~/.bashrc file.
To create a service principal, run .

Azure CLICopy

az ad sp create-for-rbac --name <service_principal_name> --role Contributor --scopes /subscriptions/<subscription_id>

Key points:
- You can replace the <service-principal-name> with a custom name for your environment or omit the parameter entirely. If you omit the parameter, the service principal name is generated based on the current date and time.
- Upon successful completion, az ad sp create-for-rbac displays several values. The appId, password, and tenant values are used in the next step.
- The password can't be retrieved if lost. As such, you should store your password in a safe place.
- For this article, a service principal with a Contributor role is being used. For more information about Role-Based Access Control (RBAC) roles.
- The output from creating the service principal includes sensitive credentials. Be sure that you don't include these credentials in your code or check the credentials into your source control.

Using Powershell:

Open a PowerShell prompt.

PowerShellCopy

Connect-AzAccount

Key points:

Upon successful sign in, Connect-AzAccount displays information about the default subscription.
Make note of the TenantId as it's needed to use the service principal.

PowerShellCopy

Get-AzContext

Azure CLICopy

Get-AzSubscription

PowerShellCopy

Set-AzContext -Subscription "<subscription_id_or_subscription_name>"

Key points:

Replace the <subscription_id_or_subscription_name> placeholder with the ID or name of the subscription you want to use.

PowerShellCopy

$sp = New-AzADServicePrincipal -DisplayName <service_principal_name> -Role "Contributor"

Key points:

You can replace the <service-principal-name> with a custom name for your environment or omit the parameter entirely. If you omit the parameter, the service principal name is generated based on the current date and time.
The Contributor role is being used. For more information about Role-Based Access Control (RBAC) roles.

Display the service principal ID.

PowerShellCopy

$sp.AppId

Key points:

Make note of the service principal application ID as it's needed to use the service principal.

Get the autogenerated password to text.

PowerShellCopy

$sp.PasswordCredentials.SecretText

Key points:
- Make note of the password as it's needed to use the service principal.

PreviousAzure NextSpecify service principal credentials in environment variables

Last updated 1 year ago

Using bash:

To create a service principal, sign in to Azure. A
If you're creating a service principal from Git Bash, set the MSYS_NO_PATHCONV environment variable. (This step isn't necessary if you're using Cloud Shell.)
BashCopy
```
export MSYS_NO_PATHCONV=1    
```
Key points:
- You can set the MSYS_NO_PATHCONV environment variable globally (for all terminal sessions) or locally (for just the current session). As creating a service principal isn't something you do often, the sample sets the value for the current session. To set this environment variable globally, add the setting to the ~/.bashrc file.
To create a service principal, run .

Azure CLICopy

az ad sp create-for-rbac --name <service_principal_name> --role Contributor --scopes /subscriptions/<subscription_id>

Key points:
- You can replace the <service-principal-name> with a custom name for your environment or omit the parameter entirely. If you omit the parameter, the service principal name is generated based on the current date and time.
- Upon successful completion, az ad sp create-for-rbac displays several values. The appId, password, and tenant values are used in the next step.
- The password can't be retrieved if lost. As such, you should store your password in a safe place.
- For this article, a service principal with a Contributor role is being used. For more information about Role-Based Access Control (RBAC) roles.
- The output from creating the service principal includes sensitive credentials. Be sure that you don't include these credentials in your code or check the credentials into your source control.

Using Powershell:

Open a PowerShell prompt.
Run .

PowerShellCopy

Connect-AzAccount

Key points:

Upon successful sign in, Connect-AzAccount displays information about the default subscription.
Make note of the TenantId as it's needed to use the service principal.

To confirm the current Azure subscription, run .

PowerShellCopy

Get-AzContext

To view all enabled Azure subscriptions for the logged-in Microsoft account, run .

Azure CLICopy

Get-AzSubscription

To use a specific Azure subscription, run .

PowerShellCopy

Set-AzContext -Subscription "<subscription_id_or_subscription_name>"

Key points:

Replace the <subscription_id_or_subscription_name> placeholder with the ID or name of the subscription you want to use.

Run to create a new service principal.

PowerShellCopy

$sp = New-AzADServicePrincipal -DisplayName <service_principal_name> -Role "Contributor"

Key points:

You can replace the <service-principal-name> with a custom name for your environment or omit the parameter entirely. If you omit the parameter, the service principal name is generated based on the current date and time.
The Contributor role is being used. For more information about Role-Based Access Control (RBAC) roles.

Display the service principal ID.

PowerShellCopy

$sp.AppId

Key points:

Make note of the service principal application ID as it's needed to use the service principal.

Get the autogenerated password to text.

PowerShellCopy

$sp.PasswordCredentials.SecretText

Key points:
- Make note of the password as it's needed to use the service principal.
- The password can't be retrieved if lost. As such, you should store your password in a safe place. If you forget your password, you can .