az login using federated service principal credentials

Question

I want to deploy resources in Azure through a workspace in Terraform Cloud.

I am using Terraform Cloud's dynamic provider credentials feature for authenticating to Azure, as described in this article. It involves creating a service principal with federated credentials and hence no secrets.

Its working fine and I am able to deploy resources in Azure.

However, I have a local-exec resource that uses az login

az login --service-principal -u <client-id> -p <client-secret> --tenant <tenant>

Since I don't have a client-secret, how do I use az login ?

I came across this article, that shows to do this via GitHub Action, but I dont want to go the Actions route.

Thank you in advance for your help!

Answer 1

I've written up a series of blog posts that might help you get this working:

https://finarne.wordpress.com/2024/07/25/acquire-an-entra-id-token-using-federated-credentials-part-1-oidc-discovery-documents/

The blog posts take you through how to first set the OIDC Documents that act as the Identity Provider for the Federated Credential, and in part 3 you'll see how to generate the required cryptographically signed Client Assertion that you can exchange when you execute the az login command.

HTH

Answer 2

Need to check below: -

Since I don't have a client-secret, how do I use az login?

Approach-1:

Firstly, to work with az login without using CLIENT_SECRET you can try using CLIENT_ID and Azure TENANT_ID for logging purpose. To use these values set them as environment variables with the help of export command in AzCLI.

Or

Go to Terraform Cloud and you needed to set the environment variables CLIENT_ID, TENANT_ID by choosing the specific workspace >> variables as detailed in SO by @Monkey Supersonic.

export TENANT_ID = "xxx"

Now use the local-exec resource to log into Azure and it works as expected.

resource "null_resource" "azlogin"
 {
  local_exec { command = "az login --service-principal -u ${CLIENT_ID} --tenant ${TENANT_ID}" 
   } 
  }

Approach-2:

Using az login --use-device-codecommand is another way to use the local-exec resource in Terraform Cloud without a clientsecret.

resource "null_resource" "azlogin"
 {
  local_exec { command = "az login --use-device-code" 
   } 
  }

Once you execute the above command, it prompts you to open the web URL and enter the device code as shown. Then you will be able to log into the Azure successfully.

Approach-3:

Other approach is using managed identity login. You can use the managed identity to sign in. The --identity flag is used to sign in with the resource's identity.

az login --identity --username CLIENT_ID

Error: building AzureRM Client: please ensure you have installed Azure CLI version 2.0.79 or newer. Error parsing json result from the Azure CLI: launching Azure CLI : exec: "az":executable file not found in $PATH:

Coming to the above error, it comes when the Azure CLI is not properly installed or not identified in the system path. Sometimes upgrading the Azure CLI using az upgrade resolves this error.

After upgrading it, restart the Azure CLI. If upgrading doesn't work, then remove the existing CLI configuration and reinstall it again.

Reference MS Doc CLI installation.

Note: If still the issue persists, check to see if the location where Azure CLI is installed is in your system's PATH environment variable. Add it if not present.

Refer the github doc for the relevant issue.