OiO.lk Community platform!

Oio.lk is an excellent forum for developers, providing a wide range of resources, discussions, and support for those in the developer community. Join oio.lk today to connect with like-minded professionals, share insights, and stay updated on the latest trends and technologies in the development field.
  You need to log in or register to access the solved answers to this problem.
  • You have reached the maximum number of guest views allowed
  • Please register below to remove this limitation

Authenticating using the Azure CLI is only supported as a User (not a Service Principal)

  • Thread starter Thread starter Gabe Dillin
  • Start date Start date
G

Gabe Dillin

Guest
I am setting up a CI/CD pipeline through Azure DevOps to test my Terraform code, my organization is planning on switching to CI/CD for our infrastructure. I am trying to validate Terraform in my Azure tenant through a Service Connection in a YAML Pipeline:

Code:
name: Azure Infrastructure CI/CD

trigger:
  branches:
    include:
      - main

pool:
  vmImage: ubuntu-latest

variables:
  - name: public_key
    value: $(public_key)
  - name: terraformSecret
    value: $(client_secret)

steps:
  - checkout: self
    submodules: true

  - task: TerraformInstaller@0
    inputs:
      terraformVersion: 'latest'

  - script: az login --service-principal -u "$(client_id)" -p $(client_secret) --tenant "$(tenant_id)"
    displayName: 'Azure CLI Login'

  - script: az account set --subscription "$(subscription_id)"
    displayName: 'Azure Subscription Set'
  
  - script: |
      terraform init
      terraform plan -out=tfplan \
        -var="public_key=${public_key}" \
        -var="client_secret=${terraformSecret}"
    displayName: 'Terraform Init and Plan'
    workingDirectory: .

  - script: |
      terraform apply -auto-approve tfplan
    displayName: 'Terraform Apply'
    workingDirectory: .

Here is my Terraform provider file:

Code:
provider "azurerm" {
    features {}

    client_id       = "xxxxx"
    client_secret   = var.client_secret
    tenant_id       = "xxxxx"
    subscription_id = "xxxxx"
}

And an excerpt from my variables Terraform variables file:

Code:
variable "client_secret" {
  type        = string
}

And I have all environment variables set correctly on the pipeline in Azure DevOps. I am getting this error:

Code:
Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: building AzureRM Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
│ 
│ To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
│ auth method - instructions for which can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret
│ 
│ Alternatively you can authenticate using the Azure CLI by using a User Account.
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on providers.tf line 10, in provider "azurerm":
│   10: provider "azurerm" {
│ 
╵

##[error]Bash exited with code '1'.

I have checked the Terraform docs, and they don't show how I can authenticate a terraform connection through a script, and I want to protect the client secrete as much as I can, and not make it available for everyone accessing this code. I have also used a bunch of LLMs and the insight is minimally helpful as with most terraform-related projects.

How do I authenticate my terraform code through a service principal on a YAML pipeline?
<p>I am setting up a CI/CD pipeline through Azure DevOps to test my Terraform code, my organization is planning on switching to CI/CD for our infrastructure.
I am trying to validate Terraform in my Azure tenant through a Service Connection in a YAML Pipeline:</p>
<pre><code>name: Azure Infrastructure CI/CD

trigger:
branches:
include:
- main

pool:
vmImage: ubuntu-latest

variables:
- name: public_key
value: $(public_key)
- name: terraformSecret
value: $(client_secret)

steps:
- checkout: self
submodules: true

- task: TerraformInstaller@0
inputs:
terraformVersion: 'latest'

- script: az login --service-principal -u "$(client_id)" -p $(client_secret) --tenant "$(tenant_id)"
displayName: 'Azure CLI Login'

- script: az account set --subscription "$(subscription_id)"
displayName: 'Azure Subscription Set'

- script: |
terraform init
terraform plan -out=tfplan \
-var="public_key=${public_key}" \
-var="client_secret=${terraformSecret}"
displayName: 'Terraform Init and Plan'
workingDirectory: .

- script: |
terraform apply -auto-approve tfplan
displayName: 'Terraform Apply'
workingDirectory: .
</code></pre>
<p>Here is my Terraform provider file:</p>
<pre><code>provider "azurerm" {
features {}

client_id = "xxxxx"
client_secret = var.client_secret
tenant_id = "xxxxx"
subscription_id = "xxxxx"
}
</code></pre>
<p>And an excerpt from my variables Terraform variables file:</p>
<pre><code>variable "client_secret" {
type = string
}
</code></pre>
<p>And I have all environment variables set correctly on the pipeline in Azure DevOps.
I am getting this error:</p>
<pre><code>Planning failed. Terraform encountered an error while generating this plan.


│ Error: building AzureRM Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).

│ To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
│ auth method - instructions for which can be found here: https://registry.terraform.io/provi...t/docs/guides/service_principal_client_secret

│ Alternatively you can authenticate using the Azure CLI by using a User Account.

│ with provider["registry.terraform.io/hashicorp/azurerm"],
│ on providers.tf line 10, in provider "azurerm":
│ 10: provider "azurerm" {



##[error]Bash exited with code '1'.

</code></pre>
<p>I have checked the Terraform docs, and they don't show how I can authenticate a terraform connection through a script, and I want to protect the client secrete as much as I can, and not make it available for everyone accessing this code. I have also used a bunch of LLMs and the insight is minimally helpful as with most terraform-related projects.</p>
<p>How do I authenticate my terraform code through a service principal on a YAML pipeline?</p>
Continue reading...
 

Latest posts

Top