Support for OpenID Connect (OIDC) for azurerm provider

[justinp-kr]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

GitHub Actions azure/login supports OpenID Connect (OIDC) based Federated Identity Credentials.

And so many CLI tasks can now be completed without managing a GitHub secret for ARM_CLIENT_SECRET. However, Terraform's azurerm provider complains during init even if you use alternative authentication for the backend:

Terraform has been successfully initialized!
╷
│ Error: building AzureRM Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
│ 
│ To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
│ auth method - instructions for which can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret
│ 
│ Alternatively you can authenticate using the Azure CLI by using a User Account.
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],

A workaround, assuming that secret is in an Azure key vault, is to create a key vault access policy that allows the service principal to get its own secret and then set ARM_CLIENT_SECRET prior to terraform init. This workaround avoids needing to rotate/reset GitHub secret. Obviously a service principal secret may expire or be rotated after someone leaves the team. Managing secrets across many GitHub repositories becomes time consuming.

New or Affected Resource(s)/Data Source(s)

azurerm

Potential Terraform Configuration

No response

References

https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-azure https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux https://github.com/Azure/login#sample-workflow-that-uses-azure-login-action-using-oidc-to-run-az-cli-linux

[tombuildsstuff]

hi @justinp-kr

Thanks for opening this issue.

Support for this is being tracked in https://github.com/hashicorp/go-azure-helpers/issues/91 - rather than having multiple issues open tracking the same thing I'm going to close this issue in favour of https://github.com/hashicorp/go-azure-helpers/issues/91, would you mind subscribing to that issue for updates?

Thanks!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.