Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

data.azurerm_client_config.current has empty client_id, object_id and tenant_id when using Azure MSI #7787

Open
gevorg15 opened this issue Jul 16, 2020 · 16 comments

Comments

@gevorg15
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

terraform -v
Terraform v0.12.26
+ provider.azurerm v2.19.0

Affected Resource(s)

  • azurerm_client_config Data

Terraform Configuration Files

provider "azurerm" {
    version = "~> 2.0" 
    features {}
}

data azurerm_client_config current {}

output current_client_config {
    value = data.azurerm_client_config.current
}

Debug Output

Panic Output

Expected Behavior

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

current_client_config = {
  "client_id" = "00000000-0000-0000-0000-000000000000"
  "id" = "2020-07-16 19:32:04.738092599 +0000 UTC"
  "object_id" = "00000000-0000-0000-0000-000000000000"
  "subscription_id" = "00000000-0000-0000-0000-000000000000"
  "tenant_id" = "00000000-0000-0000-0000-000000000000"
}

Actual Behavior

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

current_client_config = {
  "client_id" = ""
  "id" = "2020-07-16 19:32:04.738092599 +0000 UTC"
  "object_id" = ""
  "subscription_id" = "00000000-0000-0000-0000-000000000000"
  "tenant_id" = ""
}

Steps to Reproduce

  1. Create a VM in azure with a Managed System Identity(MSI)
  2. Login to the newly created VM.
  3. Set required environment variables export ARM_SUBSCRIPTION_ID=00000000-0000-0000-0000-000000000000 ARM_USE_MSI=true
  4. terraform init
  5. terraform apply

Important Factoids

The azure_client_config data provider becomes useless since you're not able to retrieve any useful information.

References

  • #0000
@ArcturusZhang
Copy link
Contributor

Hi @gevorg15 thanks for this issue and sorry for the delay of response.

According to this document, to get the MSI authentication working, you will have to set ARM_SUBSCRIPTION_ID, ARM_USE_MSI=true and ARM_TENANT_ID or configurate them in the provider block like this:

provider "azurerm" {
  features {}

  use_msi = true
  subscription_id = "..."
  tenant_id = "..."
}

@radu-stefanache
Copy link

The MSI works fine (can manage resources) but if you want to access these (client_id and object_id) keys under azurerm_client_config, the values are missing/empty.
Terraform 0.13.5
Provider 2.38.0

@LaurentLesle
Copy link
Contributor

I have the same error with msi and in cloud shell (#6310).

This is the workaround logic I am using today in bash to retrieve the Object_Id and tenant_id regardless it is an Azure AD user, service principal, system msi or user assigned msi and inject them to Terraform as TF_VAR. Not ideal but working.

https://github.com/aztfmod/rover/blob/4098ce32e46f854445ac85839125f21410b439fc/scripts/functions.sh#L807

By running the terraform code snippet above in terraform I am expecting the object_id and tenant_id to be provided all the time regardless the authentication method.

@dvasdekis
Copy link

dvasdekis commented Nov 24, 2021

My workaround was to hardwire the object ID & tenant ID in variables, and use them if they were unavailable from the data provider:

variable "default_admin_objectid" {
  type = string
  default = "00000000-0000-0000-0000-0000000000001"  # My real AD acct objectid
  description = "Active Directory object ID of admin for resources. Not used except at resource creation."
}

variable "default_ad_tenant_id" {
  # Needed due to https://github.com/hashicorp/terraform-provider-azurerm/issues/7787
  type = string
  default = "00000000-0000-0000-0000-0000000000002"   # My real AD acct tenantid
  description = "Active Directory tenant ID. Only used when we can't autodetect."
}

locals {
  # As running on Azure Cloudshell doesn't populate the user ObjectID or TenantID, we need the below workaround
  # If length of returned object_id/tenantid > 0, use it, but if not, use the var.synapse_ad_admin_objectid
  deploy_user_object_id = length(data.azurerm_client_config.current.object_id) > 0 ? data.azurerm_client_config.current.object_id : var.default_admin_objectid
  deploy_user_tenant_id = length(data.azurerm_client_config.current.tenant_id) > 0 ? data.azurerm_client_config.current.tenant_id : var.default_ad_tenant_id
}

# Example usage
resource "azurerm_key_vault_access_policy" "kv-ro" {
  key_vault_id = azurerm_key_vault.kv.id
  tenant_id    = local.deploy_user_tenant_id
  object_id    = local.deploy_user_object_id

  secret_permissions = [
    "Get", "List"
  ]
}

@Simonzhaohui
Copy link

  • I got same problem using Azure MSI:
[
  {
    "environmentName": "AzureCloud",
    "homeTenantId": "...",
    "id": "...",
    "isDefault": true,
    "managedByTenants": [],
    "name": "...",
    "state": "Enabled",
    "tenantId": "...",
    "user": {
      "assignedIdentityInfo": "MSI",
      "name": "systemAssignedIdentity",
      "type": "servicePrincipal"
    }
  }
]
...
Error: expected "object_id" to be a valid UUID, got 

  with azurerm_key_vault_access_policy.client[0],
  on main.tf line 152, in resource "azurerm_key_vault_access_policy" "client":
 152:   object_id    = data.azurerm_client_config.current.object_id

time=2021-11-25T04:44:19Z level=error msg=1 error occurred:
	* exit status 1
	*
  • Terraform (and AzureRM Provider) Version
    azurerm: 2.86.0
    Terraform: 1.0.5

@bradhannah
Copy link

bradhannah commented Mar 23, 2022

Based on previous comment there was an external call to Az CLI to get the id. Unfortunately the 'az ad signed-in-user' was failing for me. So for anyone else stuck, I used:

data "external" "account_info" {
  program                      = [
                                 "az",
                                 "identity",
                                 "show",
                                 "--resource-group",
                                 azurerm_resource_group.main.name,
                                 "--name",
                                 var.user_assigned_ident_name,
                                 "--query",
                                 "{principal_id:principalId}",
                                 ]
}

and access it with:

the_id = data.external.account_info.result.principal_id

@konrad-jamrozik
Copy link

konrad-jamrozik commented Jun 8, 2022

This issue appears to be present for azure cli 2.37.0 for ubuntu wsl (sudo apt install -y --allow-downgrades azure-cli=2.37.0-1~focal) but absent for 2.36.0.

Using Terraform 0.13.4 and Azure RM provider 2.54.0.

@mud5150
Copy link

mud5150 commented Jun 10, 2022

I was running into this error as well, and found that it's fixed in the 3.9.0 release. It's not directly in the release notes, but if you follow the breadcrumbs back to the go-azure-helpers patch that was pulled in, you can see the update.

@Simonzhaohui
Copy link

I still get this issue with MSI:
terraform 1.2.2
azurerm provider 3.19.1

...
- Using hashicorp/time v0.7.2 from the shared cache directory
- Using hashicorp/random v3.3.1 from the shared cache directory
- Using hashicorp/azurerm v3.19.1 from the shared cache directory

...
Acquiring state lock. This may take a few moments...
data.azurerm_client_config.current: Reading...
data.azurerm_user_assigned_identity.identity[0]: Reading...
data.azurerm_subscription.current: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=2022-09-01 03:05:32.781347836 +0000 UTC]
data.azurerm_subscription.current: Read complete after 0s [id=/subscriptions/...]
data.azurerm_user_assigned_identity.identity[0]: Read complete after 1s [id=/subscriptions/../resourceGroups/mgmt-rg-upm-centralus-.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-...]

...
(and 5 more similar warnings elsewhere)
  with azurerm_key_vault_access_policy.client[0],
  on main.tf line 179, in resource \azurerm_key_vault_access_policy\ \client\:

 179:   object_id    = data.azurerm_client_config.current.object_id


Error: expected \object_id\ to be a valid UUID, got 
Releasing state lock. This may take a few moments...
time=2022-09-01T03:05:34Z level=error msg=1 error occurred:
\t* exit status 1

@MrTolerant
Copy link

image

azure-cli 2.40.0

core 2.40.0
telemetry 1.0.8

Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1

Python location '/opt/homebrew/Cellar/azure-cli/2.40.0/libexec/bin/python'
Extensions directory '/Users/petr/.azure/cliextensions'

Python (Darwin) 3.10.6 (main, Aug 30 2022, 04:58:14) [Clang 13.1.6 (clang-1316.0.21.2.5)]

Legal docs and information: aka.ms/AzureCliLegal

@DPatrickBoyd
Copy link

still no fix to this from hashicorp side? I am still having similar issues with latest version of terraform and azurerm

@mukundbajaj
Copy link

This seems to be an issue when using System Managed identities as well till date.

AzureRm version used: 3.9.0
Azure CLI: 2.42.0

@segraef
Copy link

segraef commented Nov 17, 2022

Any update?
It seems only

provider "azurerm" { features {} tenant_id = "tenantID" subscription_id = "subID" }

works and not

ARM_SUBSCRIPTION_ID: "subID" ARM_TENANT_ID: "tenantID"

@segraef
Copy link

segraef commented Nov 23, 2022

Workaround to use azuread. Apparently it was solved via #16982 but can't find the solution in https://github.com/hashicorp/terraform-provider-azurerm/blob/v3.9.0/CHANGELOG.md.

@jdocampo
Copy link

Seems to be fixed in v3.44.1:
https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.44.1
#20523

I have tested it in a VM with User Assigned Managed Identity:
image

az login --identity > /dev/null
export ARM_USE_MSI=true
export ARM_SUBSCRIPTION_ID=$(az login --identity | jq -r '.[0] | .id')
export ARM_TENANT_ID=$(az login --identity | jq -r '.[0] | .tenantId')
terraform {

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "= 3.44.1"
    }
  }
}

provider "azurerm" {
  features {}
}

data azurerm_client_config current {}

output current_client_config {
    value = data.azurerm_client_config.current
}

image

@sjackson0109
Copy link

sjackson0109 commented Jun 9, 2023

This error is generated logging in using username/password (via SAML auth); and via client_id/secret.

The workaround above with data.external.account_info only works if you are using a username/password auth.

@rcskosir rcskosir added the v/3.x label May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests