Authenticate Terraform to Azure

To use Terraform commands against your Azure subscription, you must first authenticate Terraform to that subscription. This article covers some common scenarios for authenticating to Azure.

Using bash:

  1. To create a service principal, sign in to Azure. A

  2. If you're creating a service principal from Git Bash, set the MSYS_NO_PATHCONV environment variable. (This step isn't necessary if you're using Cloud Shell.)

    BashCopy

  3. export MSYS_NO_PATHCONV=1

    Key points:

    • You can set the MSYS_NO_PATHCONV environment variable globally (for all terminal sessions) or locally (for just the current session). As creating a service principal isn't something you do often, the sample sets the value for the current session. To set this environment variable globally, add the setting to the ~/.bashrc file.

  4. To create a service principal, run az ad sp create-for-rbac.

Azure CLICopy

az ad sp create-for-rbac --name <service_principal_name> --role Contributor --scopes /subscriptions/<subscription_id>

  1. Key points:

    • You can replace the <service-principal-name> with a custom name for your environment or omit the parameter entirely. If you omit the parameter, the service principal name is generated based on the current date and time.

    • Upon successful completion, az ad sp create-for-rbac displays several values. The appId, password, and tenant values are used in the next step.

    • The password can't be retrieved if lost. As such, you should store your password in a safe place.

    • For this article, a service principal with a Contributor role is being used. For more information about Role-Based Access Control (RBAC) roles.

    • The output from creating the service principal includes sensitive credentials. Be sure that you don't include these credentials in your code or check the credentials into your source control.

Using Powershell:

  1. Open a PowerShell prompt.

  2. Run Connect-AzAccount.

PowerShellCopy

Connect-AzAccount

Key points:

  • Upon successful sign in, Connect-AzAccount displays information about the default subscription.

  • Make note of the TenantId as it's needed to use the service principal.

  1. To confirm the current Azure subscription, run Get-AzContext.

PowerShellCopy

Get-AzContext

  1. To view all enabled Azure subscriptions for the logged-in Microsoft account, run Get-AzSubscription.

Azure CLICopy

Get-AzSubscription

  1. To use a specific Azure subscription, run Set-AzContext.

PowerShellCopy

Set-AzContext -Subscription "<subscription_id_or_subscription_name>"

Key points:

  • Replace the <subscription_id_or_subscription_name> placeholder with the ID or name of the subscription you want to use.

  1. Run New-AzADServicePrincipal to create a new service principal.

PowerShellCopy

$sp = New-AzADServicePrincipal -DisplayName <service_principal_name> -Role "Contributor"

Key points:

  • You can replace the <service-principal-name> with a custom name for your environment or omit the parameter entirely. If you omit the parameter, the service principal name is generated based on the current date and time.

  • The Contributor role is being used. For more information about Role-Based Access Control (RBAC) roles.

  1. Display the service principal ID.

PowerShellCopy

$sp.AppId

Key points:

  • Make note of the service principal application ID as it's needed to use the service principal.

  1. Get the autogenerated password to text.

PowerShellCopy

$sp.PasswordCredentials.SecretText

  1. Key points:

    • Make note of the password as it's needed to use the service principal.

    • The password can't be retrieved if lost. As such, you should store your password in a safe place. If you forget your password, you can reset the service principal credentials.

PreviousAzureNextSpecify service principal credentials in environment variables

Last updated