Reputation: 202
Terraform azapi provider ChainedTokenCredential authentication failed
I'm trying to use terraform's azapi to deploy a quota alarm and I'm running into an error with oath "Identity not found"
I have my provider set up with:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.43.0"
}
azapi = {
source = "azure/azapi"
}
}
}
provider "azurerm" {
tenant_id = "<Tenant ID>"
subscription_id = <Subscription ID 1>
skip_provider_registration = true
use_oidc = true
features {}
}
provider "azapi" {
alias = "alias1"
tenant_id = "<Tenant ID>"
subscription_id = <Subscription ID 2>
use_oidc = true
}
I am using GitHub actions and we login to Azure via OIDC. azurerm is working fine but azapi is failing with:
Error: checking for presence of existing Resource: (ResourceId "/subscriptions/<Subscription ID 2>/resourceGroups/quota-alarms/providers/Microsoft.Insights/scheduledQueryRules/total_regional_vcpu_quota_alarm" / Api Version "2023-03-15-preview"): ChainedTokenCredential authentication failed
GET http://169.254.169.254/metadata/identity/oauth2/token
--------------------------------------------------------------------------------
RESPONSE 400 Bad Request
--------------------------------------------------------------------------------
{
"error": "invalid_request",
"error_description": "Identity not found"
}
--------------------------------------------------------------------------------
Any thoughts on why authentication is working for azurerm but not azapi?
Upvotes: 2
Views: 2047
Answers (2)
Reputation: 1
To fix this, I explicitly declared the azapi provider in my provider configuration and then passed it to the child module.
Ensure your provider.tf contains all necessary provider details, including subscription_id, tenant_id, and credentials.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 3.0"
}
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
subscription_id = var.SUBS_ID
tenant_id = var.AZURE_TENANT_ID
client_id = var.AZURE_CLIENT_ID
client_secret = var.AZURE_CLIENT_SECRET
}
In your main Terraform configuration (where you call the module), pass the provider explicitly:
module "yourazureresource" {
source = "./modules/your-module"
providers = {
azapi = azapi
}
# Other module variables...
}
In the child module, explicitly define the azapi provider requirement:
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
Upvotes: 0
Reputation: 202
I was able to resolve this myself.
The problem was that I was specifying an alias name in the provider block but not in the azapi_resource block. I think it was trying to fall back to a generic azapi provider which works on my dev machine because I have AZ CLI setup.
I specified a provider alias in the resource block and it worked:
resource "azapi_resource" "compute_quota_alarms" {
provider = azapi.alias1
Upvotes: 0
Related Questions
- Git push results in "Authentication Failed"
- Authentication versus Authorization
- What are the main differences between JWT and OAuth authentication?
- Deploying a VM with managed identity using Terraform on Azure fails
- Why do I get, "Firebase: Error getting verification code from microsoft.com response: ..." when implementing Microsoft SSO Provider?
- Assign Azure rbac Role to Virtual Machine using terraform
- What is token-based authentication?
- RESTful Authentication