Open rasnarams opened 2 weeks ago
Remove the features
argument from the provider, as this is not supported in the azuread
provder (which the error message tells you). You're probably also using the azurerm
provider which does support the features
argument.
If you see the official documentation, it shows features block
but even if i remove it still doesnt work
│ Error: building client: unable to obtain access token: githubAssertion: cannot request token: Get "?audience=api%3A%2F%2FAzureADTokenExchange": unsupported protocol scheme "" │ │ with provider["registry.terraform.io/hashicorp/azuread"], │ on main.tf line 13, in provider "azuread": │ 13: provider "azuread" { │ ╵
I believe that is just an error in that particular documentation page. If you look at the argument reference on the provider page it does not list features
.
Did you provide the ARM_OIDC_TOKEN
environment variable? And when authenticating with OIDC you don't need client ID and client secret.
Thanks for the headsup, as @nbaju1 mentioned this is a documentation bug, just omit the features {}
block.
The second error you're getting is because it's trying to use GitHub-style OIDC by querying a token vending service to obtain the ID token, but the URL for that service wasn't provided. Either you aren't running in GitHub actions, in which case you need to provide an ID token, or your workflow isn't set up correctly per GitHub docs.
We could do a better job with that second error handling, I'll look to improve this. Although I would also recommend using the latest version of the provider (currently v2.53.1), since that may well be handled better already.
I believe that is just an error in that particular documentation page. If you look at the argument reference on the provider page it does not list
features
.Did you provide the
ARM_OIDC_TOKEN
environment variable? And when authenticating with OIDC you don't need client ID and client secret.
Thank you. Yes I did set OIDC_TOKEN. Will it work only if github is the app? I am using scalr
Thanks for the headsup, as @nbaju1 mentioned this is a documentation bug, just omit the
features {}
block.The second error you're getting is because it's trying to use GitHub-style OIDC by querying a token vending service to obtain the ID token, but the URL for that service wasn't provided. Either you aren't running in GitHub actions, in which case you need to provide an ID token, or your workflow isn't set up correctly per GitHub docs.
We could do a better job with that second error handling, I'll look to improve this. Although I would also recommend using the latest version of the provider (currently v2.53.1), since that may well be handled better already.
Will it work only if github is the app? I am using scalr
I used latest version of provider 2.53.1 I didnt do any other changes
here are the variables m setting
provider "azuread" {
}
any suggestion how to get this fixed? Just FYI if i use clientsecrets it works. Only for OIDC it is not working
I am using scalr as my remote for tf run.
│ Error: unable to build authorizer: could not configure AzureCli Authorizer: tenant ID was not specified and the default tenant ID could not be determined: obtaining tenant ID: obtaining account details: running Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.
│
│ with provider["registry.terraform.io/hashicorp/azuread"],
│ on main.tf line 13, in provider "azuread":
│ 13: provider "azuread" {
Community Note
Terraform (and AzureAD Provider) Version
Azure Version 2.23.0 Terraform 1.4.6
Affected Resource(s)
Initial provider configuration
azuread_XXXXX
Terraform Configuration Files
Debug Output
╷ │ Error: Unsupported block type │ │ on main.tf line 15, in provider "azuread": │ 15: features {} │ │ Blocks of type "features" are not expected here.
On removing features block
│ Error: building client: unable to obtain access token: githubAssertion: cannot request token: Get "?audience=api%3A%2F%2FAzureADTokenExchange": unsupported protocol scheme "" │ │ with provider["registry.terraform.io/hashicorp/azuread"], │ on main.tf line 13, in provider "azuread": │ 13: provider "azuread" { │ ╵
Panic Output
Expected Behavior
It should be able to authenticate and perform datasource or resource operation If i am using client secrets it is working but on using OIDC option it is not working. I did set the env variable as suggested in the documentation
$ export ARM_CLIENT_ID="00000000-0000-0000-0000-000000000000" $ export ARM_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000" $ export ARM_TENANT_ID="00000000-0000-0000-0000-000000000000" $ export ARM_USE_OIDC=true
Actual Behavior
Reporting error
Steps to Reproduce
terraform plan
Important Factoids
References
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/guides/service_principal_oidc
0000