-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
data.azurerm_client_config.current has empty client_id, object_id and tenant_id when using Azure MSI #7787
Comments
Hi @gevorg15 thanks for this issue and sorry for the delay of response. According to this document, to get the MSI authentication working, you will have to set
|
The MSI works fine (can manage resources) but if you want to access these ( |
I have the same error with msi and in cloud shell (#6310). This is the workaround logic I am using today in bash to retrieve the Object_Id and tenant_id regardless it is an Azure AD user, service principal, system msi or user assigned msi and inject them to Terraform as TF_VAR. Not ideal but working. By running the terraform code snippet above in terraform I am expecting the object_id and tenant_id to be provided all the time regardless the authentication method. |
My workaround was to hardwire the object ID & tenant ID in variables, and use them if they were unavailable from the data provider: variable "default_admin_objectid" {
type = string
default = "00000000-0000-0000-0000-0000000000001" # My real AD acct objectid
description = "Active Directory object ID of admin for resources. Not used except at resource creation."
}
variable "default_ad_tenant_id" {
# Needed due to https://github.com/hashicorp/terraform-provider-azurerm/issues/7787
type = string
default = "00000000-0000-0000-0000-0000000000002" # My real AD acct tenantid
description = "Active Directory tenant ID. Only used when we can't autodetect."
}
locals {
# As running on Azure Cloudshell doesn't populate the user ObjectID or TenantID, we need the below workaround
# If length of returned object_id/tenantid > 0, use it, but if not, use the var.synapse_ad_admin_objectid
deploy_user_object_id = length(data.azurerm_client_config.current.object_id) > 0 ? data.azurerm_client_config.current.object_id : var.default_admin_objectid
deploy_user_tenant_id = length(data.azurerm_client_config.current.tenant_id) > 0 ? data.azurerm_client_config.current.tenant_id : var.default_ad_tenant_id
}
# Example usage
resource "azurerm_key_vault_access_policy" "kv-ro" {
key_vault_id = azurerm_key_vault.kv.id
tenant_id = local.deploy_user_tenant_id
object_id = local.deploy_user_object_id
secret_permissions = [
"Get", "List"
]
} |
|
Based on previous comment there was an external call to Az CLI to get the id. Unfortunately the 'az ad signed-in-user' was failing for me. So for anyone else stuck, I used:
and access it with:
|
I was running into this error as well, and found that it's fixed in the 3.9.0 release. It's not directly in the release notes, but if you follow the breadcrumbs back to the go-azure-helpers patch that was pulled in, you can see the update. |
I still get this issue with MSI:
|
azure-cli 2.40.0 core 2.40.0 Dependencies: Python location '/opt/homebrew/Cellar/azure-cli/2.40.0/libexec/bin/python' Python (Darwin) 3.10.6 (main, Aug 30 2022, 04:58:14) [Clang 13.1.6 (clang-1316.0.21.2.5)] Legal docs and information: aka.ms/AzureCliLegal |
still no fix to this from hashicorp side? I am still having similar issues with latest version of terraform and azurerm |
This seems to be an issue when using System Managed identities as well till date. AzureRm version used: 3.9.0 |
Any update?
works and not
|
Workaround to use azuread. Apparently it was solved via #16982 but can't find the solution in https://github.com/hashicorp/terraform-provider-azurerm/blob/v3.9.0/CHANGELOG.md. |
Seems to be fixed in v3.44.1: I have tested it in a VM with User Assigned Managed Identity:
|
This error is generated logging in using username/password (via SAML auth); and via client_id/secret. The workaround above with data.external.account_info only works if you are using a username/password auth. |
Community Note
Terraform (and AzureRM Provider) Version
Affected Resource(s)
azurerm_client_config
DataTerraform Configuration Files
Debug Output
Panic Output
Expected Behavior
Actual Behavior
Steps to Reproduce
export ARM_SUBSCRIPTION_ID=00000000-0000-0000-0000-000000000000 ARM_USE_MSI=true
terraform init
terraform apply
Important Factoids
The
azure_client_config
data provider becomes useless since you're not able to retrieve any useful information.References
The text was updated successfully, but these errors were encountered: