Open marcin478 opened 4 months ago
Hi @marcin478 ,
Thank you for taking time to report this issue and apologize for late response.
The azapi
provider does support this feature, more details could be found here: https://registry.terraform.io/providers/Azure/azapi/latest/docs/guides/azure_cli
We are facing the same issue , azure cli auth works well when auzure cli is authenticated via Service principal client secret, however we get below error when we use Workload Identity to Federation for Azure DevOps Service Connection.
"Error: reading "Resource: (ResourceId \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\" / Api Version \"2022-09-01\")": ChainedTokenCredential authentication failed │ GET http://169.254.169.254/metadata/identity/oauth2/token │ -------------------------------------------------------------------------------- │ RESPONSE 400 Bad Request │ -------------------------------------------------------------------------------- │ { │ "error": "invalid_request", │ "error_description": "Identity not found" │ }
At the same config , azurerm provider works well. Provider config as below:
`terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "~> 3.63.0" } azapi = { source = "Azure/azapi" version = "~> 1.8.0" } } backend "azurerm" { } }
provider "azapi" { use_cli = true }
provider "azurerm" { skip_provider_registration = true features {} } `
+1 to @srvmsr Using Workload Identity is not working.
+1 to @srvmsr Same issue for me :-(
Not tried to use OIDC option....
Also we have this with just using standard service connections in devops (not federated)
I'm dealing with the same problem while using a federated connection in AzAPI version 1.13.1.
Here's a workaround I am using:
provider "azapi" {
use_msi = false
}
This is already supported by the azurerm and azuread providers. It's required to solve the problem with the 10 minutes idToken validity limitation when using Workload Identity to Federation for Azure DevOps Service Connection.