terraform plan fails with ARM_name environment variables.

[changeworld]

Terraform Version

0.7.1

Affected Resource(s)

Please list the resources as a list, for example:

• azurerm_resource_group
• azurerm_virtual_network

Terraform Configuration Files

changeworld/terraform-azure@e085b90

Debug Output

No output.

Expected Behavior

Read environment variables.

Actual Behavior

Don't read environment variables.

Steps to Reproduce

In accordance with the following procedure
https://www.terraform.io/docs/providers/azurerm/

1. export ARM_SUBSCRIPTION_ID=azure_subscription_id
export ARM_CLIENT_ID=azure_client_id
export ARM_CLIENT_SECRET=azure_client_secret
export ARM_TENANT_ID=azure_tenant_id
2. terraform plan
   =>Output Credentials for acessing the Azure Resource Manager API are likely to be incorrect, or the service principal does not have permission to use the Azure Service Management API.

It works with the following procedure.
It might be described errors in the document.

1. export TF_VAR_subscription_id=azure_subscription_id
export TF_VAR_client_id=azure_client_id
export TF_VAR_client_secret=azure_client_secret
export TF_VAR_tenant_id=azure_tenant_id
2. terraform plan

[stack72]

hi @changeworld

Are these credentials correct? How did you generate them? We have a guide here that we have tested extensively for successful generation

Credentials for accessing the Azure Resource Manager API are likely to be incorrect, or the service principal does not have permission to use the Azure Service Management API.

This part of the error suggests that the credentials have been read successfully but are not working as expected

Thanks

Paul

[changeworld]

Hi @stack72

Are these credentials correct?

correct. TF_VAR_subscription_id value = ARM_SUBSCRIPTION_ID value, TF_VAR_client_id value = ARM_CLIENT_ID value, other values too.

How did you generate them?

Here's Creating Credentials.

This part of the error suggests that the credentials have been read successfully but are not working as expected

Hmm .....

$ ls -a
.       ..      .git        .gitignore  LICENSE     README.md   azure.tf
$ env | grep ARM
$ env | grep TF_VAR
$ terraform -v
Terraform v0.7.1

There is no terraform.tfvars as described above, environment variables (ARM_name and TF_VAR_name) is also not set.
But.

$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.

Error refreshing state: 1 error(s) occurred:

* Credentials for acessing the Azure Resource Manager API are likely to be incorrect, or
  the service principal does not have permission to use the Azure Service Management
  API.

When there is no environment variables and input values, the above error will occur.

Thanks

[vikash009]

Hi,
I am facing the same issue. My tf file is .

<<

Configure the Microsoft Azure Provider

provider "azurerm" {
subscription_id = "xxxx"
client_id = "xxxx"
client_secret = "xxxxx"
tenant_id = "xxxx"
}

create a resource group

resource "azurerm_resource_group" "terra-test" {
name = "terraformtest"
location = "West US"
}

The above credentials are right. Because from the CLI i have tried to change the ownership of the service principal. It worked fine.

<< Command used >>
ubuntu@salt:~/TERRAFORM/azure$ azure ad sp create -n exampleappterra -p terra1234
info: ad sp create command OK

ubuntu@salt:~/TERRAFORM/azure$ azure role assignment create --objectId 123456666 -o Reader -c /subscriptions/3122w2a33qrq/
info: Executing command role assignment create

info: role assignment create command OK

ubuntu@salt:~/TERRAFORM/azure$ azure account show -s 3122w2a33qrq

info: account show command OK

ubuntu@salt:/TERRAFORM/azure$ azure login -u <client_id> --service-principal --tenant <tenant_id>
info: Executing command login
Password: *********
/info: Added subscription xyz-subscription
+
info: login command OK
ubuntu@salt:/TERRAFORM/azure$ ls
<< /Command used >>

Please take a look. And suggest something.

[stack72]

Hi @vikash009 and @changeworld

Please can you tell me if your credentials allow you to run the following command:

azure group create --name mytestrg --location westus

That will tell you if your credentials are correct

P.

[changeworld]

I run the following command:

$ terraform -v
Terraform v0.7.1
$ azure group create --name mytestrg --location westus
info:    Executing command group create
+ Getting resource group mytestrg                                              
+ Creating resource group mytestrg                                             
info:    Created resource group mytestrg
data:    Id:                  /subscriptions/[my-subscriptions-id]/resourceGroups/mytestrg
data:    Name:                mytestrg
data:    Location:            westus
data:    Provisioning State:  Succeeded
data:    Tags: null
data:    
info:    group create command OK
$ 

[stack72]

Thanks for the confirmation - I notice that you are on a version of Terraform quite a few releases back. I am sure this bug won't still be there in the latest version

I personally run the tests with ARM_ env vars and so does our acceptance test framework

Please let me know how you get on

Paul

[changeworld]

I run the following command:
I use Terraform Configuration Files is changeworld/terraform-azure@e085b90

$ terraform -v
Terraform v0.7.9

$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.

Error refreshing state: 1 error(s) occurred:

* Credentials for accessing the Azure Resource Manager API are likely to be incorrect, or
  the service principal does not have permission to use the Azure Service Management
  API.
$ export ARM_SUBSCRIPTION_ID=aaa
$ export ARM_CLIENT_SECRET=bbb
$ export ARM_TENANT_ID=ccc
$ export ARM_CLIENT_ID=ddd
$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.

Error refreshing state: 1 error(s) occurred:

* Credentials for accessing the Azure Resource Manager API are likely to be incorrect, or
  the service principal does not have permission to use the Azure Service Management
  API.
$ export TF_VAR_subscription_id=aaa
$ export TF_VAR_client_secret=bbb
$ export TF_VAR_tenant_id=ccc
$ export TF_VAR_client_id=ddd
$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.


The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed. Cyan entries are data sources to be read.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

+ azurerm_resource_group.test
    location: "westus"
    name:     "Terraform"
    tags.%:   "<computed>"

+ azurerm_virtual_network.test
    address_space.#:                  "1"
    address_space.0:                  "10.0.0.0/16"
    dns_servers.#:                    "2"
    dns_servers.0:                    "10.0.0.4"
    dns_servers.1:                    "10.0.0.5"
    location:                         "westus"
    name:                             "TestTerraformVirtualNetwork"
    resource_group_name:              "Terraform"
    subnet.#:                         "3"
    subnet.1472110187.address_prefix: "10.0.1.0/24"
    subnet.1472110187.name:           "subnet1"
    subnet.1472110187.security_group: ""
    subnet.2796830261.address_prefix: "10.0.2.0/24"
    subnet.2796830261.name:           "subnet2"
    subnet.2796830261.security_group: ""
    subnet.4132282879.address_prefix: "10.0.3.0/24"
    subnet.4132282879.name:           "subnet3"
    subnet.4132282879.security_group: ""
    tags.%:                           "1"
    tags.environment:                 "test"


Plan: 2 to add, 0 to change, 0 to destroy.
$ 

[vikash009]

Thanks for the reply.

@paul I was able to run the following command.

azure group create --name mytestrg --location westus

After updating the terraform to latest and assigning one extra role
"API Management Service Contributor".
has resolved the issue.

On Wed, Nov 9, 2016 at 9:46 PM, Takashi Takebayashi <
notifications@github.com> wrote:

I run the following command:
I use Terraform Configuration Files is changeworld/terraform-azure@e085b90
changeworld/terraform-azure@e085b90

$ terraform -v
Terraform v0.7.9

$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but
will not be persisted to local or remote state storage.

Error refreshing state: 1 error(s) occurred:

• Credentials for accessing the Azure Resource Manager API are likely to be incorrect, or
  the service principal does not have permission to use the Azure Service Management
  API.
  $ export ARM_SUBSCRIPTION_ID=aaa
  $ export ARM_CLIENT_SECRET=bbb
  $ export ARM_TENANT_ID=ccc
  $ export ARM_CLIENT_ID=ddd
  $ terraform plan
  Refreshing Terraform state in-memory prior to plan...
  The refreshed state will be used to calculate this plan, but
  will not be persisted to local or remote state storage.

Error refreshing state: 1 error(s) occurred:

• Credentials for accessing the Azure Resource Manager API are likely to be incorrect, or
  the service principal does not have permission to use the Azure Service Management
  API.
  $ export TF_VAR_subscription_id=aaa
  $ export TF_VAR_client_secret=bbb
  $ export TF_VAR_tenant_id=ccc
  $ export TF_VAR_client_id=ddd
  $ terraform plan
  Refreshing Terraform state in-memory prior to plan...
  The refreshed state will be used to calculate this plan, but
  will not be persisted to local or remote state storage.

The Terraform execution plan has been generated and is shown below.
Resources are shown in alphabetical order for quick scanning. Green resources
will be created (or destroyed and then created if an existing resource
exists), yellow resources are being changed in-place, and red resources
will be destroyed. Cyan entries are data sources to be read.

Note: You didn't specify an "-out" parameter to save this plan, so when
"apply" is called, Terraform can't guarantee this is what will execute.

• azurerm_resource_group.test
  location: "westus"
  name: "Terraform"
  tags.%: ""
• azurerm_virtual_network.test
  address_space.#: "1"
  address_space.0: "10.0.0.0/16"
  dns_servers.#: "2"
  dns_servers.0: "10.0.0.4"
  dns_servers.1: "10.0.0.5"
  location: "westus"
  name: "TestTerraformVirtualNetwork"
  resource_group_name: "Terraform"
  subnet.#: "3"
  subnet.1472110187.address_prefix: "10.0.1.0/24"
  subnet.1472110187.name: "subnet1"
  subnet.1472110187.security_group: ""
  subnet.2796830261.address_prefix: "10.0.2.0/24"
  subnet.2796830261.name: "subnet2"
  subnet.2796830261.security_group: ""
  subnet.4132282879.address_prefix: "10.0.3.0/24"
  subnet.4132282879.name: "subnet3"
  subnet.4132282879.security_group: ""
  tags.%: "1"
  tags.environment: "test"

Plan: 2 to add, 0 to change, 0 to destroy.
$

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#8444 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AKAnO68i1EssRu0d1G13vIUvRB2FthJ5ks5q8fHtgaJpZM4Jr7R_
.

[mitchellh]

Good to hear the issue is resolved. Closing please let us know if we missed anything. :)

[mynkow]

I have exactly the same issue:
Terraform v0.8.8

the error says does not have authorization to perform action 'Microsoft.Resources/subscriptions/providers/read' over scope

however this is not listed in the Azure documentation

https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles#role-permissions

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.