-
Notifications
You must be signed in to change notification settings - Fork 4.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Error building AzureRM Client" with device login #7289
Comments
Just upgraded the Anything I can do to check the |
I'm thinking this could be similar to:
We do have multiple subscriptions. And I believe I may have recently been added to a new subscription, presumably with the same tenant, which may have triggered this bug? |
I think I finally found the problem. A colleague had set ARM_CLIENT_SECRET in our CI, e.g. stored outside our codebase (in GitLab CI project settings), when he was working with Service Principals in another branch. Apparently our production branch was inferring credential mechanisms based on that, and failing. Close? Or can the terraform output be improved to inform us that it has found this variable and intends to use it? |
hey @degerrit Thanks for opening this issue. When running in CloudShell Terraform uses MSI rather than the Azure CLI for authentication - which is why this behaviour is different. Terraform has a list of supported authentication methods which get tried in turn (if enabled) (shared by both the Azure Backend and the Azure Provider) - as such we'll work down the list working through when whilst we find one. In this instance, since we're logging There's been some changes to the way that the Azure CLI authentication works throughout the 1.x lifecycle, where we've gone from parsing the It's worth noting that the behaviour of the Azure CLI is unpredictable when being run in a headless environment (for example, we frequently see spurious output from the Azure CLI) - whilst this may work as expected when fully configured (for example, configuring any preferences such as data collection for the Azure CLI prior to running Terraform), since this behaviour can change under-our-feet unfortunately this isn't something we officially support when running in an automated environment (although I can understand your use-case). Since this should be fixed by removing the Client Secret being used here - I'm going to close this issue for the moment - but should you have further questions I believe you should be able to get an answer for this using one of the Community Resources. Thanks! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
We've been using terraform from within our CI for a year or two, using device code (since our CI cannot open a browser window).
(We're not using Service Principals in the
apply
stage, instead relying on the user authentication of the DevOps engineer who takes ownership for the change)Since a month or so, this (unchanged) setup is broken -
Error building AzureRM Client
. We upgraded to the latest terraform and latest 1.x azurerm provider, to no avail. This happens on multiple subscriptions (which are corporately managed).az
commands definitely work in our CI (incl write operations) - so we are definitely logged in properly using device code and there is successful communication with the Azure API.But
terraform
fails to use those same credentials properly now, for some new reason.Additional testing shows that the exact same terraform config works in Azure's cloud shell. Same user, same terraform versions, same config, and same remote backend (terraform state). The only difference I see is our CI's location (behind a proxy) and its use of device login.
Or, maybe, the Azure API behaves differently, and introduced a breaking change for this combination of terraform and device login.
I obviously lack additional debug output from a successful run in our CI for comparison (i.e. from a month ago).
Comparing debug logs, the main differences I see between success and failure is the missing line
Using Managed Service Identity for Authentication
in the CI run, which is present in the successful Azure cloud shell run.Following that missing line, it seems terraform assumes (and fails) to use a service principal.
How does terraform poll what authentication method(s) are available?
Community Note
Terraform (and AzureRM Provider) Version
Affected Resource(s)
Terraform Configuration Files
Debug Output
Working Azure Shell terraform run
Broken CI terraform run:
Expected Behavior
Terraform should use the saved az authentication.
Actual Behavior
Terraform could not authenticate.
Steps to Reproduce
az login --use-device-code
terraform plan
Important Factoids
References
The text was updated successfully, but these errors were encountered: