Terraform supports authenticating to Azure through a Service Principal or the Azure CLI.
We recommend using a Service Principal when running in a shared environment (such as within a CI server/automation) - and authenticating via the Azure CLI when you're running Terraform locally.
NOTE: Authenticating via the Azure CLI is only supported when using a User Account. If you're using a Service Principal (e.g. via
az login --service-principal
) you should instead authenticate via the Service Principal directly.
When authenticating via the Azure CLI, Terraform will automatically connect to the Default Subscription - this can be changed by using the Azure CLI - and is documented below.
Note: There are multiple versions of the Azure CLI - the latest version is known as the Azure CLI 2.0 (Python) and the older Azure CLI (Node.JS). While Terraform currently supports both - we highly recommend users upgrade to the Azure CLI 2.0 (Python) if possible.
This guide assumes that you have the Azure CLI 2.0 (Python) installed.
Note: If you're using the China, German or Government Azure Clouds - you'll need to first configure the Azure CLI to work with that Cloud. You can do this by running:
$ az cloud set --name AzureChinaCloud|AzureGermanCloud|AzureUSGovernment
Firstly, login to the Azure CLI using:
$ az login
NOTE: Authenticating via the Azure CLI is only supported when using a User Account. If you're using a Service Principal (e.g. via
az login --service-principal
) you should instead authenticate via the Service Principal directly.
This will prompt you to open a web browser, as shown below:
To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code XXXXXXXX to authenticate.
Once logged in - it's possible to list the Subscriptions associated with the account via:
$ az account list
The output (similar to below) will display one or more Subscriptions - with the id
field being the Subscription ID.
[ { "cloudName": "AzureCloud", "id": "00000000-0000-0000-0000-000000000000", "isDefault": true, "name": "PAYG Subscription", "state": "Enabled", "tenantId": "00000000-0000-0000-0000-000000000000", "user": { "name": "[email protected]", "type": "user" } } ]
Note: When authenticating via the Azure CLI, Terraform will automatically connect to the Default Subscription. As such if you have multiple subscriptions on the account, you may need to set the Default Subscription, via:
$ az account set --subscription="SUBSCRIPTION_ID"
Also, if you have been authenticating with a service principal and you switch to Azure CLI, you must null out the ARM_* environment variables. Failure to do so causes errors to be thrown.
© 2018 HashiCorpLicensed under the MPL 2.0 License.
https://www.terraform.io/docs/providers/azurerm/authenticating_via_azure_cli.html