Terraform provider error with user managed identity

[roshanp85]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

I am trying to use user managed identities to initialize and plan for a resource group creation. The identity has contributor access on the given subscription, inside the azure tenant (public). But for some reason, I am getting the below error.

Terraform Version

1.6.5

AzureRM Provider Version

3.0.0

Affected Resource(s)/Data Source(s)

provider "azurerm"

Terraform Configuration Files

terraform {
  required_version = ">= 1.0.2"
  required_providers {
      
    azurerm = {
      source = "hashicorp/azurerm"
      version = "= 3.0.0"
    }
  }
}

provider "azurerm" {
  features {}
  subscription_id = var.subscription_id
  client_id       = var.client_id
  tenant_id       = var.tenant_id
  use_msi = true
}

Debug Output/Panic Output

Unable to list provider registration status, it is possible that this is due to invalid credentials or
 the service principal does not have permission to use the Resource Manager API, Azure error: azure.BearerAutho
rizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/
+=+=+=+=+=+=+=+/providers?api-version=2016-02-01: StatusCode=400 -- Original Error: adal:
Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Ide
ntity not found"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_
id==+=+=+=+=+=+&resource=https%3A%2F%2Fmanagement.azure.com
│
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on version.tf line 12, in provider "azurerm":
│   12: provider "azurerm" {

Expected Behaviour

Terraform plan should be able to show.

Actual Behaviour

Error is mentioned above.

Steps to Reproduce

terraform plan

Important Factoids

No response

References

No response

[roshanp85]

Please note this is an user assigned identity.

[magodo]

From the error message:

Original Error: adal: Refresh request failed.

It seems somehow the provider is still using the deprecated ADAL token, sending request against the deprecated endpoint /identity/oauth2/token (instead of /identity/oauth2/v2.0/token).

From my understanding, this shouldn't be the case for the latest provider. So would you mind double check you are using the latest version of the provider?

[roshanp85]

I am using 3.0.0 of the terraform provider.

[rcskosir]

@roshanp85 Thank you for opening this issue. Are you able to upgrade to the latest version of the provider (v3.84.0 as of this comment) to see if the issue resolves? As noted by @magodo the latest provider shouldn't be using the deprecated ADAL token.

[roshanp85]

Thank you. That was the problem. I’m getting a different error, but that’s an expected one. I think this is working fine now.

[rcskosir]

@roshanp85 Glad upgrading to latest was able to help. I am going to mark this issue as closed.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.