data.azurerm_client_config.current.object_id empty in Azure Cloud Shell

[geekzter]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

terraform -v 
Terraform v0.12.24
+ provider.azurerm v2.3.0

Affected Resource(s)

• azurerm_client_config (data)

Terraform Configuration Files

provider "azurerm" {
    version = "~> 2.0" 
    features {}
}

data azurerm_client_config current {}

output client_object_id {
    value = data.azurerm_client_config.current.object_id
}
output client_tenant_id {
    value = data.azurerm_client_config.current.tenant_id
}

Debug Output

Panic Output

Expected Behavior

Outputs:

client_object_id = 00000000-0000-0000-0000-000000000000
client_tenant_id = 00000000-0000-0000-0000-000000000000

Actual Behavior

Outputs:

client_object_id = 
client_tenant_id = 00000000-0000-0000-0000-000000000000

Steps to Reproduce

1. terraform init
2. terraform apply

Important Factoids

This only happens when run from Azure Cloud Shell (shell.azure.com)

az account show
{
  "environmentName": "AzureCloud",
  "homeTenantId": "00000000-0000-0000-0000-000000000000",
  "id": "00000000-0000-0000-0000-000000000000",
  "isDefault": true,
  "managedByTenants": [],
  "name": "Subscription Name",
  "state": "Enabled",
  "tenantId": "00000000-0000-0000-0000-000000000000",
  "user": {
    "cloudShellID": true,
    "name": "me@domain.com",
    "type": "user"
  }
}

References

[dvob]

It seems that there is the same issue when a managed identity is used for authentication.
I guess this comment refers to this problem?

[geekzter]

Yes, that appears to be the same problem. I was logged in as user though, Cloud Shell manages that. This does get the object id in that case:

data external account_info {
  program                      = [
                                 "az",
                                 "ad",
                                 "signed-in-user",
                                 "show",
                                 "--query",
                                 "{object_id:objectId}",
                                 "-o",
                                 "json",
                                 ]
}

[mehdi-ichka]

I have the exact same issue

[ghost]

I get the same issue from a VM authenticating with MSI.

It seems that there is the same issue when a managed identity is used for authentication.
I guess this comment refers to this problem?

The feature they are waiting on was implemented in this commit hashicorp/go-azure-helpers@c443704 - so I think that someone just need to get them to change the code.

[LoicGombeaud]

@JoeSainsburys in the commit you linked to, the GetAuthenticatedObjectID method is not implemented for MSI : hashicorp/go-azure-helpers@c443704#diff-f43fc9c83cbbbb2c45248e751f3fe26a6321d326ef2cfb5c9759ffa8d2108266

There is another related issue about this: #7787

[tombuildsstuff]

👋

CloudShell utilizes MSI authentication, which is the root-cause of this bug - as such I'm going to close this in favour of #7787 which is tracking that issue, would you mind subscribing to that issue for updates?

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!