search

Azure / terraform-provider-azapi

Terraform provider for Azure Resource Manager Rest API
https://registry.terraform.io/providers/Azure/azapi/latest
Mozilla Public License 2.0
175 stars 47 forks source link

Authenticating via a Service Principal and a Client Certificate tries to authenticate with Managed Identities and times out #609

Open FrancescaRodricks opened 1 week ago

FrancescaRodricks commented 1 week ago

https://github.com/Azure/terraform-provider-azapi/blob/main/docs/guides/service_principal_client_certificate.md#configuring-the-service-principal-in-terraform

I tried to run a similar setup https://github.com/thomast1906/thomasthorntoncloud-examples/blob/master/Terraform-OpenAI-ContentFilter-AzAPI/terraform/main.tf#L38 of code with provider version as below.

Provider version used - azure/azapi v1.14.0...

provider "azapi" {
  subscription_id             = var.subscription_id
  client_id                   = var.client_id
  client_certificate          = var.client_certificate
  client_certificate_password = var.client_certificate_password
  tenant_id                   = var.tenant_id
  use_cli                     = false
}

And had the following error when trying to create azapi_resource. 

ChainedTokenCredential: failed to
│ acquire a token.
│ Attempted credentials:
│   managed identity timed out
│   AzureCLICredential: Azure CLI not found on path

So i tried to set managed identity based auth to false using the use_msi = false

provider "azapi" {
  subscription_id             = var.subscription_id
  client_id                   = var.client_id
  client_certificate          = var.client_certificate
  client_certificate_password = var.client_certificate_password
  tenant_id                   = var.tenant_id
  use_cli                     = false
  use_msi                     = false 
}

And ran into the following error 

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Failed to obtain a credential.
│ 
│   with provider["registry.terraform.io/azure/azapi"],
│   on main.tf line 115, in provider "azapi":
│  115: provider "azapi" {
│ 
│ no credentials were successfully initialized
╵

Which indicates that service principal credentials are not being used.

Expected Behaviour - The provider should use the service principal rather that a managed identity

ms-henglu commented 1 week ago

Hi @FrancescaRodricks ,

Thank you for taking time to report this issue!

Please share the debug log to help us investigate.

Here's how:

  1. Add the below environment variables: 
    TF_LOG=DEBUG
TF_LOG_PATH=./terraform.log
  2. Run terraform plan command and the logs will be stored in the terraform.log file.