W3cubDocs

/Terraform

Azure Stack Provider: Authenticating using a Service Principal

Terraform supports authenticating to Azure Stack through a Service Principal. At this time this is the only supported authentication method for Azure Stack.

Creating a Service Principal

A Service Principal is an application within Azure Active Directory whose authentication tokens can be used as the client_id, client_secret, and tenant_id fields needed by Terraform (subscription_id can be independently recovered from your Azure account details).

Creating a Service Principal in the Azure Portal

There are two tasks needed to create a Service Principal via the Azure Portal:

  1. Create an Application in Azure Active Directory (which acts as a Service Principal)
  2. Grant the Application access to manage resources in your Azure Subscription

1. Creating an Application in Azure Active Directory

Firstly navigate to the Azure Active Directory overview within the Azure Portal - then select the App Registration blade and click Endpoints at the top of the App Registration blade. A list of URIs will be displayed and you need to locate the URI for OAUTH 2.0 AUTHORIZATION ENDPOINT which contains a GUID. This is your Tenant ID / the tenant_id field mentioned above.

Next, navigate back to the App Registration blade - from here we'll create the Application in Azure Active Directory. To do this click Add at the top to add a new Application within Azure Active Directory. On this page, set the following values then press Create:

  • Name - this is a friendly identifier and can be anything (e.g. "Terraform")
  • Application Type - this should be set to "Web app / API"
  • Sign-on URL - this can be anything, providing it's a valid URI (e.g. https://terra.form)

Once that's done - select the Application you just created in the App Registration blade. At the top of this page, the "Application ID" GUID is the client_id you'll need.

Finally, we can create the client_secret by selecting Keys and then generating a new key by entering a description, selecting how long the client_secret should be valid for - and finally pressing Save. This value will only be visible whilst on the page, so be sure to copy it now (otherwise you'll need to regenerate a new key).

2. Granting the Application access to manage resources in your Azure Subscription

Once the Application exists in Azure Active Directory - we can grant it permissions to modify resources in the Subscription. To do this, navigate to the Subscriptions blade within the Azure Portal, then select the Subscription you wish to use, then click Access Control (IAM), and finally Add.

Firstly, specify a Role which grants the appropriate permissions needed for the Service Principal (for example, Contributor will grant Read/Write on all resources in the Subscription). There's more information about the built in roles available here.

Secondly, search for and select the name of the Application created in Azure Active Directory to assign it this role - then press Save.

Configuring your Service Principal

Service Principals can be configured in Terraform in one of two ways, either as Environment Variables or in the Provider block. Please see the Argument Reference section of the index for an example of which fields are available and can be specified either through Environment Variables - or in the Provider Block.