From ac11702557a18fe75cd7d5d83198ce11f0fc271f Mon Sep 17 00:00:00 2001 From: "Christopher J. Ruwe" Date: Thu, 2 Aug 2018 15:20:02 +0000 Subject: [PATCH 1/2] tokens invalid when az and terraform run on different timezones --- website/docs/authenticating_via_azure_cli.html.markdown | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/website/docs/authenticating_via_azure_cli.html.markdown b/website/docs/authenticating_via_azure_cli.html.markdown index 7682402d46fa..cbf80e838b59 100644 --- a/website/docs/authenticating_via_azure_cli.html.markdown +++ b/website/docs/authenticating_via_azure_cli.html.markdown @@ -15,6 +15,12 @@ We recommend [using a Service Principal when running in a shared environment](au ~> **NOTE:** Authenticating via the Azure CLI is only supported when using a User Account. If you're using a Service Principal (e.g. via `az login --service-principal`) you should instead [authenticate via the Service Principal directly](authenticating_via_service_principal.html). +~> **NOTE:** Take note that when `az login` fetches access_tokens, these are interpreted (and stored) according to the timezone settings the azure-cli runs in. + + When the timezones `az` and `terraform` run in differ (because `az` is run inside docker, which defaults to UTC, and `terraform` on some host, not UTC), `terraform` interprets the token differently from what `az` intended and may incorrectly determines the token to be stale and invalid. + + When `terraform` and `az` are run on hosts / containers with different timezones, the variable $TZ should be set on the host. + When authenticating via the Azure CLI, Terraform will automatically connect to the Default Subscription - this can be changed by using the Azure CLI - and is documented below. ## Configuring the Azure CLI From 1a7ee8e6eda594b4390d62f1f6bb4290cb41403a Mon Sep 17 00:00:00 2001 From: "Christopher J. Ruwe" Date: Fri, 3 Aug 2018 06:03:16 +0000 Subject: [PATCH 2/2] tokens invalid when az and terraform run on different timezones More specifically, - adapt @tombuildsstuff's (thanks, that's better) stylistic requests. --- website/docs/authenticating_via_azure_cli.html.markdown | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/docs/authenticating_via_azure_cli.html.markdown b/website/docs/authenticating_via_azure_cli.html.markdown index cbf80e838b59..ca91c51d0b10 100644 --- a/website/docs/authenticating_via_azure_cli.html.markdown +++ b/website/docs/authenticating_via_azure_cli.html.markdown @@ -15,9 +15,9 @@ We recommend [using a Service Principal when running in a shared environment](au ~> **NOTE:** Authenticating via the Azure CLI is only supported when using a User Account. If you're using a Service Principal (e.g. via `az login --service-principal`) you should instead [authenticate via the Service Principal directly](authenticating_via_service_principal.html). -~> **NOTE:** Take note that when `az login` fetches access_tokens, these are interpreted (and stored) according to the timezone settings the azure-cli runs in. +~> **NOTE:** Take note that when `az login` fetches the access tokens, these are interpreted (and stored) according to the timezone settings the azure-cli runs in. - When the timezones `az` and `terraform` run in differ (because `az` is run inside docker, which defaults to UTC, and `terraform` on some host, not UTC), `terraform` interprets the token differently from what `az` intended and may incorrectly determines the token to be stale and invalid. + When the timezones `az` and `terraform` run in differ (for example when `az` is run inside docker, which defaults to UTC, and the system timezone where `terraform` runs is not UTC), `terraform` interprets the token differently from what `az` intended and may incorrectly determine the token to be stale and invalid. When `terraform` and `az` are run on hosts / containers with different timezones, the variable $TZ should be set on the host.