Dynamic Credentials with the Azure Provider
Important: Ensure you are using version 3.25.0 or later of the AzureRM provider and version 2.29.0 or later of the AzureAD provider as required OIDC functionality was introduced in these provider versions.
Important: If you are self-hosting Terraform Cloud Agents, ensure your agents use v1.7.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.
Warning: Dynamic Credentials with the Azure providers do not work when your TFE instance is using a custom or self-signed certificate due to restrictions on Azure's end.
You can use Terraform Cloud’s native OpenID Connect integration with Azure to get dynamic credentials for the AzureRM or AzureAD providers in your Terraform Cloud runs. Configuring the integration requires the following steps:
- Configure Azure: Set up a trust configuration between Azure and Terraform Cloud. Then, you must create Azure roles and policies for your Terraform Cloud workspaces.
- Configure Terraform Cloud: Add environment variables to the Terraform Cloud workspaces where you want to use Dynamic Credentials.
Once you complete the setup, Terraform Cloud automatically authenticates to Azure during each run. The Azure provider authentication is valid for the length of the plan or apply.
Configure Azure
You must enable and configure an application and service principal with accompanying federated credentials and permissions on Azure. These instructions use the Azure portal, but you can also use Terraform to configure Azure. Refer to our example Terraform configuration.
Create an Application and Service Principal
Follow the steps mentioned in the AzureRM provider docs here: Creating the Application and Service Principal.
As mentioned in the documentation it will be important to make note of the client_id
for the application as you will use this later for authentication.
Note: you will want to skip the “Configure Azure Active Directory Application to Trust a GitHub Repository”
section as this does not apply here.
Grant the Application Access to Manage Resources in Your Azure Subscription
You must now give the created Application permission to modify resources within your Subscription.
Follow the steps mentioned in the AzureRM provider docs here: Granting the Application access to manage resources in your Azure Subscription.
Configure Azure Active Directory Application to Trust a Generic Issuer
Finally, you must create federated identity credentials which validate the contents of the token sent to Azure from Terraform Cloud.
Follow the steps mentioned in the AzureRM provider docs here: Configure Azure Active Directory Application to Trust a Generic Issuer.
The following information should be specified:
- Federated credential scenario: Must be set to
Other issuer
. - Issuer: The address of Terraform Cloud (e.g., https://app.terraform.io).
- Important: make sure this value starts with https:// and does not have a trailing slash.
- Subject identifier: The subject identifier from Terraform Cloud that this credential will match. This will be in the form
organization:my-org-name:project:my-project-name:workspace:my-workspace-name:run_phase:plan
where therun_phase
can be one ofplan
orapply
. - Name: A name for the federated credential, such as
tfc-plan-credential
. Note that this cannot be changed later.
The following is optional, but may be desired:
- Audience: Enter the audience value that will be set when requesting the identity token. This will be
api://AzureADTokenExchange
by default. This should be set to the value ofTFC_AZURE_WORKLOAD_IDENTITY_AUDIENCE
if this has been configured.
Note: because the Subject identifier
for federated credentials is a direct string match, two federated identity credentials need to be created for each workspace using dynamic credentials: one that matches run_phase:plan
and one that matches run_phase:apply
.
Configure Terraform Cloud
You’ll need to set some environment variables in your Terraform Cloud workspace in order to configure Terraform Cloud to authenticate with Azure using dynamic credentials. You can set these as workspace variables.
Required Environment Variables
Variable | Value | Notes | |
---|---|---|---|
TFC_AZURE_PROVIDER_AUTH | true | Requires v1.7.0 or later if self-managing agents. Must be present and set to true , or Terraform Cloud will not attempt to authenticate to Azure. | |
TFC_AZURE_RUN_CLIENT_ID | The client ID for the Service Principal / Application used when authenticating to Azure. | Requires v1.7.0 or later if self-managing agents. Optional if TFC_AZURE_PLAN_CLIENT_ID and TFC_AZURE_APPLY_CLIENT_ID are both provided. These variables are described below |
Optional Environment Variables
You may need to set these variables, depending on your use case.
Variable | Value | Notes |
---|---|---|
TFC_AZURE_WORKLOAD_IDENTITY_AUDIENCE | Will be used as the aud claim for the identity token. Defaults to api://AzureADTokenExchange . | Requires v1.7.0 or later if self-managing agents. |
TFC_AZURE_PLAN_CLIENT_ID | The client ID for the Service Principal / Application to use for the plan phase of a run. | Requires v1.7.0 or later if self-managing agents. Will fall back to the value of TFC_AZURE_RUN_CLIENT_ID if not provided. |
TFC_AZURE_APPLY_CLIENT_ID | The client ID for the Service Principal / Application to use for the apply phase of a run. | Requires v1.7.0 or later if self-managing agents. Will fall back to the value of TFC_AZURE_RUN_CLIENT_ID if not provided. |
Configure the AzureRM or AzureAD Provider
Make sure that you’re passing values for the subscription_id
and tenant_id
arguments into the provider configuration block or setting the ARM_SUBSCRIPTION_ID
and ARM_TENANT_ID
variables in your workspace.
Make sure that you’re not setting values for client_id
, use_oidc
, or oidc_token
in the provider or setting any of ARM_CLIENT_ID
, ARM_USE_OIDC
, ARM_OIDC_TOKEN
.
Specifying Multiple Configurations
Important: Ensure you are using version 3.60.0 or later of the AzureRM provider and version 2.43.0 or later of the AzureAD provider as required functionality was introduced in these provider versions.
Important: If you are self-hosting Terraform Cloud Agents, ensure your agents use v1.12.0 or above. To use the latest dynamic credentials features, upgrade your agents to the latest version.
You can add additional configurations to handle multiple distinct Azure setups, enabling you to use multiple provider aliases within the same workspace.
For more details, see Specifying Multiple Configurations.
Required Terraform Variable
To use additional configurations, add the following code to your Terraform configuration. This lets Terraform Cloud supply variable values that you can then use to map authentication and configuration details to the correct provider blocks.
variable "tfc_azure_dynamic_credentials" { description = "Object containing Azure dynamic credentials configuration" type = object({ default = object({ client_id_file_path = string oidc_token_file_path = string }) aliases = map(object({ client_id_file_path = string oidc_token_file_path = string })) })}
Example Usage
AzureRM Provider
provider "azurerm" { features {} // use_cli should be set to false to yield more accurate error messages on auth failure. use_cli = false // use_oidc must be explicitly set to true when using multiple configurations. use_oidc = true client_id_file_path = var.tfc_azure_dynamic_credentials.default.client_id_file_path oidc_token_file_path = var.tfc_azure_dynamic_credentials.default.oidc_token_file_path subscription_id = "00000000-0000-0000-0000-000000000000" tenant_id = "10000000-0000-0000-0000-000000000000"} provider "azurerm" { features {} // use_cli should be set to false to yield more accurate error messages on auth failure. use_cli = false // use_oidc must be explicitly set to true when using multiple configurations. use_oidc = true alias = "ALIAS1" client_id_file_path = var.tfc_azure_dynamic_credentials.aliases["ALIAS1"].client_id_file_path oidc_token_file_path = var.tfc_azure_dynamic_credentials.aliases["ALIAS1"].oidc_token_file_path subscription_id = "00000000-0000-0000-0000-000000000000" tenant_id = "20000000-0000-0000-0000-000000000000"}
AzureAD Provider
provider "azuread" { features {} // use_cli should be set to false to yield more accurate error messages on auth failure. use_cli = false // use_oidc must be explicitly set to true when using multiple configurations. use_oidc = true client_id_file_path = var.tfc_azure_dynamic_credentials.default.client_id_file_path oidc_token_file_path = var.tfc_azure_dynamic_credentials.default.oidc_token_file_path subscription_id = "00000000-0000-0000-0000-000000000000" tenant_id = "10000000-0000-0000-0000-000000000000"} provider "azuread" { features {} // use_cli should be set to false to yield more accurate error messages on auth failure. use_cli = false // use_oidc must be explicitly set to true when using multiple configurations. use_oidc = true alias = "ALIAS1" client_id_file_path = var.tfc_azure_dynamic_credentials.aliases["ALIAS1"].client_id_file_path oidc_token_file_path = var.tfc_azure_dynamic_credentials.aliases["ALIAS1"].oidc_token_file_path subscription_id = "00000000-0000-0000-0000-000000000000" tenant_id = "20000000-0000-0000-0000-000000000000"}