azurerd oidc

[rasnarams]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureAD Provider) Version

Azure Version 2.23.0 Terraform 1.4.6

Affected Resource(s)

Initial provider configuration

• azuread_XXXXX

Terraform Configuration Files

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "=2.23.0"
    }
  }
}
# Configure the Microsoft Azure Provider
provider "azuread" {
  use_oidc = true # or use the environment variable "ARM_USE_OIDC=true"
  features {}
}

# Retrieve domain information
data "azuread_domains" "example" {
  only_initial = true
}

Debug Output

╷ │ Error: Unsupported block type │ │ on main.tf line 15, in provider "azuread": │ 15: features {} │ │ Blocks of type "features" are not expected here.

On removing features block

│ Error: building client: unable to obtain access token: githubAssertion: cannot request token: Get "?audience=api%3A%2F%2FAzureADTokenExchange": unsupported protocol scheme "" │ │ with provider["registry.terraform.io/hashicorp/azuread"], │ on main.tf line 13, in provider "azuread": │ 13: provider "azuread" { │ ╵

Panic Output

Expected Behavior

It should be able to authenticate and perform datasource or resource operation If i am using client secrets it is working but on using OIDC option it is not working. I did set the env variable as suggested in the documentation

$ export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000" $ export ARM_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000" $ export ARM_TENANT_ID="00000000-0000-0000-0000-000000000000" $ export ARM_USE_OIDC=true

Actual Behavior

Reporting error

Steps to Reproduce

1. terraform plan

Important Factoids

References

https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_oidc

• 0000

[nbaju1]

Remove the features argument from the provider, as this is not supported in the azuread provder (which the error message tells you). You're probably also using the azurerm provider which does support the features argument.

[rasnarams]

If you see the official documentation, it shows features block

but even if i remove it still doesnt work

│ Error: building client: unable to obtain access token: githubAssertion: cannot request token: Get "?audience=api%3A%2F%2FAzureADTokenExchange": unsupported protocol scheme "" │ │ with provider["registry.terraform.io/hashicorp/azuread"], │ on main.tf line 13, in provider "azuread": │ 13: provider "azuread" { │ ╵

[nbaju1]

I believe that is just an error in that particular documentation page. If you look at the argument reference on the provider page it does not list features.

Did you provide the ARM_OIDC_TOKEN environment variable? And when authenticating with OIDC you don't need client ID and client secret.

[manicminer]

Thanks for the headsup, as @nbaju1 mentioned this is a documentation bug, just omit the features {} block.

The second error you're getting is because it's trying to use GitHub-style OIDC by querying a token vending service to obtain the ID token, but the URL for that service wasn't provided. Either you aren't running in GitHub actions, in which case you need to provide an ID token, or your workflow isn't set up correctly per GitHub docs.

We could do a better job with that second error handling, I'll look to improve this. Although I would also recommend using the latest version of the provider (currently v2.53.1), since that may well be handled better already.

[rasnarams]

I believe that is just an error in that particular documentation page. If you look at the argument reference on the provider page it does not list features.

Did you provide the ARM_OIDC_TOKEN environment variable? And when authenticating with OIDC you don't need client ID and client secret.

Thank you. Yes I did set OIDC_TOKEN. Will it work only if github is the app? I am using scalr

[rasnarams]

Thanks for the headsup, as @nbaju1 mentioned this is a documentation bug, just omit the features {} block.

The second error you're getting is because it's trying to use GitHub-style OIDC by querying a token vending service to obtain the ID token, but the URL for that service wasn't provided. Either you aren't running in GitHub actions, in which case you need to provide an ID token, or your workflow isn't set up correctly per GitHub docs.

We could do a better job with that second error handling, I'll look to improve this. Although I would also recommend using the latest version of the provider (currently v2.53.1), since that may well be handled better already.

Will it work only if github is the app? I am using scalr

[rasnarams]

I used latest version of provider 2.53.1 I didnt do any other changes

here are the variables m setting

provider "azuread" {

}

any suggestion how to get this fixed? Just FYI if i use clientsecrets it works. Only for OIDC it is not working

I am using scalr as my remote for tf run.

│ Error: unable to build authorizer: could not configure AzureCli Authorizer: tenant ID was not specified and the default tenant ID could not be determined: obtaining tenant ID: obtaining account details: running Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.
│
│   with provider["registry.terraform.io/hashicorp/azuread"],
│   on main.tf line 13, in provider "azuread":
│   13: provider "azuread" {