Remote state listing keys requires az default subscription set

[drdamour]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

> terraform -v
Terraform v0.12.18
+ provider.azuread v0.7.0
+ provider.azurerm v1.39.0
+ provider.null v2.1.2

Affected Resource(s)

azurerm provider

Terraform Configuration Files

  backend "azurerm" {
    resource_group_name   = "grpX"
    storage_account_name  = "accX"
    container_name        = "cntX"
    key                   = "keyX"
  }

  provider "azurerm" {

    subscription_id = "<myid>"
  }

Debug Output

N/A

Panic Output

N/A

Expected Behavior

TF should attempt to retrieve keys for the subscription identified in the azurerm provider configuration explicitly.

Actual Behavior

TF attempts to retrieve keys for the default subscription of the azure cli

Steps to Reproduce

1. have an account with access to 2 subscriptions a1 and b1
2. have tf that has b1 as the subscription with the remote state
3. login with the az cli
4. az account set -s a1
5. terraform init

you'll get an error about not being able to retrieve keys. running the following works around the issue.

1. az account set -s b1
2. terraform init

Important Factoids

References

• https://www.terraform.io/docs/backends/types/azurerm.html - says subscription_id is only used for SP and MSI methods, but i'm using cli. maybe it's just the docs that need updating?

[favoretti]

Since this issue has been reported a long time ago and relates to the version of provider we no longer support - I'm going to close it. Please open a new updated bug report on current versions of terraform and provider if this is still relevant. Thank you.

[drdamour]

@favoretti this is still an issue with the latest version can we please just reopen?

[favoretti]

@drdamour certainly. Apologies for closing too early.

[tombuildsstuff]

Transferring this to Core since Backends are located within the Core repository - so this documentation issue needs to be fixed here

[hakanbakacak]

Hi, I want to contribute to this but even though I read the docs, I couldn't fully understand the situation. I wonder if we should create a new field in this document and give information about the cli? @tombuildsstuff

[eladmosh]

if you look here it doesn't say that the subscription_id is only for SP and MSI, it just pointless to use it when authenticating using azure cli since it will use the azure cli subscription anyway which is exactly what happened here. It tried to search the keys in the azure cli subscription_id and couldn't find it.
So I'm not sure what's the problem, seems like expected behavior when authenticating using azure cli.

[drdamour]

@eladmosh yes this ticket is to request it be changed to use the subscription in the provider block so you do NOT have to set the matching subscription with az cli prior to running a terraform init. The backend block knows what subscription is supposed to be used, so why not use that info. or maybe allow setting the subscription id for az cli based authentication.

[varshneydevansh]

I would like to look into this problem, as most of the data for where to look for the related files is already provided.

@favoretti could you please assign this to me?

To reproduce – have an account with access to 2 subscriptions a1 and b1 (for this do I have to create an Azure account?)

[crw]

@varshneydevansh This is listed as a documentation issue, as far as I understand there is no code issue to investigate. You can make a change to the docs and file a PR without this issue being assigned. Thanks!

[varshneydevansh]

Hi @crw,

Thanks for the clarification. So, I looked into this and understood that the subscription_id parameter in the azurerm backend is only documented to work with Service Principal and MSI-based authentication methods, but does not mention how to use it with Azure CLI-based authentication.

So, updating the azurerm backend documentation with guidance on how to use the subscription_id parameter with Azure CLI-based authentication could help clarify in this situation.

All I have to do is to add and explain about the subscription_id parameter that how it can be used with Azure CLI authentication with some clear examples. This is to avoid issues caused by the Terraform attempting to retrieve keys for the default subscription of the Azure CLI.

Am I going in the right direction?

[crw]

Hi @varshneydevansh, I have referred this over to the AzureRM provider team who may provide more feedback. Thanks!

[rcskosir]

Hi @varshneydevansh, thank you for your interest in this issue. We handle discussions related to code and document changes within the PR comments itself, so if you could open a PR with the docs changes you are looking to make and link this issue to it, you will be able to get feedback on your changes.

[varshneydevansh]

Hi @rcskosir,

I created the PR #33461. I wanted to know whether the update which I made is correct or not?

[rcskosir]

@varshneydevansh
Thank you for opening a PR. Feedback regarding your PR will happen in the PR comments when a reviewer takes a look.