Azure CLI Tokens + Azure Stack Terraform Provider in ADFS/Disconnected mode

[jbpaux]

Hello, I'm struggling in authenticate in an ADFS Disconnected Azure Stack with Azure Stack Terraform Provider using Azure CLI Tokens.

Versions:

• az cli : 2.0.67
• terraform : 0.12.2
• terraform azurestack provider : 0.7.0 and master branch tested

Steps performed:

• az logout/az login ⇒ successful (in browser)
• az account get-access-token ⇒ successful
• az group list ⇒ successful
• terraform plan ⇒ fail

2019-06-20T11:38:45.076+0200 [DEBUG] plugin.terraform-provider-azurestack: 2019/06/20 11:38:45 Testing if Service Principal / Client Certificate is applicable for Authentication.. 2019-06-20T11:38:45.076+0200 [DEBUG] plugin.terraform-provider-azurestack: 2019/06/20 11:38:45 Testing if Service Principal / Client Secret is applicable for Authentication.. 2019-06-20T11:38:45.076+0200 [DEBUG] plugin.terraform-provider-azurestack: 2019/06/20 11:38:45 Testing if Managed Service Identity is applicable for Authentication.. 2019-06-20T11:38:45.076+0200 [DEBUG] plugin.terraform-provider-azurestack: 2019/06/20 11:38:45 Testing if Obtaining a token from the Azure CLI is applicable for Authentication.. 2019-06-20T11:38:45.076+0200 [DEBUG] plugin.terraform-provider-azurestack: 2019/06/20 11:38:45 Using Obtaining a token from the Azure CLI for Authentication 2019-06-20T11:38:45.077+0200 [DEBUG] plugin.terraform-provider-azurestack: 2019/06/20 11:38:45 [DEBUG] Resource "https://management.adfs.azstack.local/4851e0c9-ca1e-405e-9589-976d89f72324" isn't for the correct Tenant 2019/06/20 11:38:45 [ERROR] : eval: terraform.EvalConfigProvider, err: Error building ARM Client: Error populating Client ID from the Azure CLI: No Authorization Tokens were found - please re-authenticate using az login. 2019/06/20 11:38:45 [ERROR] : eval: terraform.EvalSequence, err: Error building ARM Client: Error populating Client ID from the Azure CLI: No Authorization Tokens were found - please re-authenticate using az login. 2019/06/20 11:38:45 [ERROR] : eval: terraform.EvalOpFilter, err: Error building ARM Client: Error populating Client ID from the Azure CLI: No Authorization Tokens were found - please re-authenticate using az login. 2019/06/20 11:38:45 [ERROR] : eval: terraform.EvalSequence, err: Error building ARM Client: Error populating Client ID from the Azure CLI: No Authorization Tokens were found - please re-authenticate using az login.

Tenant id is correct. I don't know why it add https://management.adfs.azstack.local/ in front of it but why not.

[jbpaux]

Ok I think I figured it out. In the token, the Autority ends with / like in my case https://adfs.region.fqdn/tenantid/ while in the code it's looking as only the tenant id as suffix: https://github.com/hashicorp/go-azure-helpers/blob/5e51ac013932f1c9434224349e74d77be738739c/authentication/azure_cli_access_token.go#L29

[jbpaux]

@tombuildsstuff if you can have a look ;)

[jbpaux]

It may be related to this also. Azure cli remove the tenantid in the stored token :( https://github.com/Azure/azure-cli/issues/9779

[Matt45D]

Any update on this issue? I running into this exact issue with my connected ADFS Azure Stack environment.