search

hashicorp / terraform-provider-azurerm

Terraform provider for Azure Resource Manager
https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs
Mozilla Public License 2.0
4.59k stars 4.63k forks source link

Related to #343 - Error: building AzureRM Client: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account. #17120

Closed ravensorb closed 1 year ago

ravensorb commented 2 years ago

Community Note

Terraform (and AzureAD Provider) Version

Ubuntu 20.04 erraform v1.2.2 on linux_amd64

Terraform Configuration Files

provider "azurerm" {    
  features {}

  subscription_id = var.azure_subscription_id
  tenant_id       = var.azure_tenant_id
  client_id       = var.azure_client_id
  client_secret   = var.azure_client_secret
}

Debug Output

Creating Terraform Apply Plan ╷ │ Error: building AzureRM Client: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account. │ │ with module.vnet-hub.provider["registry.terraform.io/hashicorp/azurerm"], │ on .terraform/modules/vnet-hub/versions.tf line 14, in provider "azurerm": │ 14: provider "azurerm" { │ ╵ Last Error Code: 1

Expected Behavior

Expect the azurerm to use the provided connection information

Actual Behavior

Would expect the variables to work. I confirmed using terraform console that they are loading, so it seems the provider is not using them from the header.

Steps to Reproduce

Create a main.tf file on a linux machine, add the provider information for a specific subscription, and execute a terraform plan

Note: this is on Ubuntu 20,04

References

manicminer commented 2 years ago

Hi @ravensorb, thanks for reporting this issue. This seems to be related to the AzureRM provider so I'll transfer the issue to the correct repo.

However, it looks like you are specifying authentication properties for native service principal authentication, which should mean that the azure-cli is not invoked at all. Can you please confirm your exact configuration and which version of Azure CLI you're using? Additionally, please can you provide a debug log as this will help us track down the source of the error you're getting. Thanks!

vishalmamidi commented 2 years ago

@manicminer facing the same issue when trying to authenticate using Azure CLI I am facing Issue with 2.38.0, 2.37.0, 2.36.0

could fix that temporarily by installing 2.30.0

uninstall existing version 

sudo apt-get remove -y azure-cli

install 2.30.3 using pip3 as apt repository doesn't have old versions below 2.36.0

pip3 install azure-cli==2.30.0
DanielHabenicht commented 2 years ago

I can confirm this on a Windows 10 machine: 

2022-08-02T20:54:10.9018025Z Error: building AzureRM Client: obtain subscription(00000000-0000-0000-0000-000000000000) from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.
2022-08-02T20:54:10.9027189Z 
2022-08-02T20:54:10.9038812Z with provider["registry.terraform.io/hashicorp/azurerm"],
2022-08-02T20:54:10.9041841Z on main.tf line 13, in provider "azurerm":
2022-08-02T20:54:10.9043118Z 13: provider "azurerm"
2022-08-02T20:54:10.9043708Z

with version az-cli version: 2.39.0

But in the end it wasn't a terraform error for me. Because of how my build script worked the secret variables (ARM_CLIENT_SECRET and ARM_CLIENT_ID) were not populated. It would still be nice if the error message would a little bit more punctuated regarding that just a secret was missing...

cam3ron2 commented 2 years ago

Experiencing this same issue. Environment:

Provider Config: 

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">=3.0.0"
    }
    azuread = {
      source  = "hashicorp/azuread"
      version = ">= 1.0"
    }
  }
}

provider "azurerm" {
  features {}
  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id
  client_id       = var.client_id
  client_secret   = var.client_secret
}

provider "azuread" {
  subscription_id = var.subscription_id
  tenant_id       = var.tenant_id
  client_id       = var.client_id
  client_secret   = var.client_secret
}

Terraform Init:

+ terragrunt init -no-color

Initializing the backend...

Warning: "use_microsoft_graph": [DEPRECATED] This field now defaults to `true` and will be removed in v1.3 of Terraform Core due to the deprecation of ADAL by Microsoft.

Error: Error building ARM Config: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.

time=2022-08-04T14:12:16Z level=error msg=Terraform invocation failed in /home/jenkins/workspace/_architecture-sample_cam_changes/appconfig
time=2022-08-04T14:12:16Z level=error msg=1 error occurred:
    * exit status 1

I can confirm though that we see the same issue with az-cli 2.30.0 unlike @vishalmamidi

Debug Log: 

+ export TF_VAR_client_id=****
+ TF_VAR_client_id=****
+ export TF_VAR_client_secret=****
+ TF_VAR_client_secret=****
+ export TF_VAR_tenant_id=****
+ TF_VAR_tenant_id=****
+ export TF_VAR_subscription_id=****
+ TF_VAR_subscription_id=****
+ export TF_VAR_AZURE_SUBSCRIPTION_ID=****
+ TF_VAR_AZURE_SUBSCRIPTION_ID=****
+ export TF_LOG=DEBUG
+ TF_LOG=DEBUG
+ az login --service-principal -u **** -p **** --tenant ****
... (redacted)
+ az vm list-sizes --location westus
[
  {
    "maxDataDiskCount": 2,
    "memoryInMb": 512,
    "name": "Standard_B1ls",
    "numberOfCores": 1,
    "osDiskSizeInMb": 1047552,
    "resourceDiskSizeInMb": 4096
  },
  {
    "maxDataDiskCount": 2,
    "memoryInMb": 2048,
    "name": "Standard_B1ms",
    "numberOfCores": 1,
    "osDiskSizeInMb": 1047552,
    "resourceDiskSizeInMb": 4096
  },
... (truncated)
2022-08-04T16:30:04.170Z [INFO]  Terraform version: 1.2.6
2022-08-04T16:30:04.170Z [DEBUG] using github.com/hashicorp/go-tfe v1.0.0
2022-08-04T16:30:04.170Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.12.0
2022-08-04T16:30:04.170Z [DEBUG] using github.com/hashicorp/terraform-config-inspect v0.0.0-20210209133302-4fd17a0faac2
2022-08-04T16:30:04.170Z [DEBUG] using github.com/hashicorp/terraform-svchost v0.0.0-20200729002733-f050f53b9734
2022-08-04T16:30:04.170Z [DEBUG] using github.com/zclconf/go-cty v1.10.0
2022-08-04T16:30:04.170Z [INFO]  Go runtime version: go1.18.1
2022-08-04T16:30:04.170Z [INFO]  CLI args: []string{"terraform", "init", "-no-color"}
2022-08-04T16:30:04.170Z [DEBUG] Attempting to open CLI config file: /root/.terraformrc
2022-08-04T16:30:04.170Z [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2022-08-04T16:30:04.170Z [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2022-08-04T16:30:04.170Z [DEBUG] ignoring non-existing provider search directory /root/.terraform.d/plugins
2022-08-04T16:30:04.170Z [DEBUG] ignoring non-existing provider search directory /root/.local/share/terraform/plugins
2022-08-04T16:30:04.170Z [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins
2022-08-04T16:30:04.170Z [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins
2022-08-04T16:30:04.171Z [INFO]  CLI command args: []string{"init", "-no-color"}

Initializing the backend...
2022-08-04T16:30:04.173Z [DEBUG] New state was assigned lineage "***"
2022-08-04T16:30:04.173Z [DEBUG] checking for provisioner in "."
2022-08-04T16:30:04.174Z [DEBUG] checking for provisioner in "/usr/local/bin"
2022-08-04T16:30:04.175Z [INFO]  Testing if Service Principal / Client Certificate is applicable for Authentication..
2022-08-04T16:30:04.175Z [INFO]  Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
2022-08-04T16:30:04.175Z [INFO]  Testing if Service Principal / Client Secret is applicable for Authentication..
2022-08-04T16:30:04.175Z [INFO]  Testing if OIDC is applicable for Authentication..
2022-08-04T16:30:04.175Z [INFO]  Testing if Managed Service Identity is applicable for Authentication..
2022-08-04T16:30:04.175Z [INFO]  Testing if Obtaining a Multi-tenant token from the Azure CLI is applicable for Authentication..
2022-08-04T16:30:04.175Z [INFO]  Testing if Obtaining a token from the Azure CLI is applicable for Authentication..
2022-08-04T16:30:04.175Z [INFO]  Using Obtaining a token from the Azure CLI for Authentication

Warning: "use_microsoft_graph": [DEPRECATED] This field now defaults to `true` and will be removed in v1.3 of Terraform Core due to the deprecation of ADAL by Microsoft.

Error: Error building ARM Config: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.

time=2022-08-04T16:30:05Z level=error msg=Terraform invocation failed in ***
time=2022-08-04T16:30:05Z level=error msg=1 error occurred:
    * exit status 1

As you can see in this example, we have also tested the credentials being passed via az login and they work, so its not falling back to az-cli because credentials are incorrect or missing.

manicminer commented 2 years ago

@cam3ron2 In your config snippet, you also appear to be using service principal authentication and not Azure CLI auth. Additionally, the AzureRM provider does not support authenticating Azure CLI with a service principal - you must authenticate as a user. Please can you try to reproduce with a config that doesn't specify client_id or client_secret / client_certificate_path.

manicminer commented 2 years ago

@manicminer facing the same issue when trying to authenticate using Azure CLI I am facing Issue with 2.38.0, 2.37.0, 2.36.0

could fix that temporarily by installing 2.30.0

uninstall existing version

sudo apt-get remove -y azure-cli

install 2.30.3 using pip3 as apt repository doesn't have old versions below 2.36.0

pip3 install azure-cli==2.30.0

@vishalmamidi Thanks, I'll try to reproduce with Azure CLI 2.36.0 and above.

cam3ron2 commented 2 years ago

@cam3ron2 In your config snippet, you also appear to be using service principal authentication and not Azure CLI auth. Additionally, the AzureRM provider does not support authenticating Azure CLI with a service principal - you must authenticate as a user. Please can you try to reproduce with a config that doesn't specify client_id or client_secret / client_certificate_path.

@manicminer I don't want to authenticate via Azure CLI. I want to authenticate as a service principal, and I have no idea why its attempting to authenticate via CLI if I have provided SP credentials.

cam3ron2 commented 2 years ago

So it seems that there is separation between the config values for the azurerm provider and backend which is not made clear by the documentation. You need to provide separate credentials for both the provider and the backend otherwise the backend will just fallback to azcli auth. To get the backend and provider to use SP credentials I made use of the ARM_ environment variables which they both read.

I think that the documentation should be more explicit and state the backend requires separate auth config unless using environment variables to save others time.

ted-repo commented 1 year ago

Hi Cam3ron2

Please can you provide more guidance? I am having a similar problem. I am using Github actions with terraform to deploy Azure resources.

All secrets in github are in these format (e.g. ARM_CLIENTID) with "ARM"

Full Error: Error building ARM Config: obtain subscription() from Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.

example of a section of the terraform config file:

Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.

- name: Terraform Init
  id: init
  env:
    ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
    ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
    ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
    ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
    RESOURCE_GROUP: ${{ secrets.RESOURCE_GROUP }}
    STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }}
    CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }}
  run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP"
hkarthik7 commented 1 year ago

I'm facing the same issue. I've backend state files in different subscription and deploying the resources to different subscription. Running the terraform worflow from PowerShell script in Azure pipelines errors out.

Backend block:

terraform {
  required_version = ">=1.3.7"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.41.0"
    }
  }
  backend "azurerm" {
    subscription_id      = "subscription"
    resource_group_name  = "resource_group_name"
    storage_account_name = "storage_account_name"
    container_name       = "container_name"
    key                  = "resource.tfstate"
  }
}

provider "azurerm" {
  features {}
}

Data source:

data "terraform_remote_state" "resource_group" {
  backend = "azurerm"
  config = {
    subscription_id      = "subscription"
    resource_group_name  = "resource_group_name"
    storage_account_name = "storage_account_name"
    container_name       = "container_name"
    key                  = "resource.tfstate"
  }
}

I'm setting the subscription in current context, retrieving the storage account key and setting the environment variable ARM_ACCESS_KEY. To deploy the resources, switching the subscription -> here is where the problem occurs. Terraform successfully initialises the backend and fails in plan section with the same error as above.

hkarthik7 commented 1 year ago

The issue is resolved after setting the environment variables -> ARM_SUBSCRIPTION_ID, ARM_TENANT_ID, ARM_CLIENT_ID and ARM_CLIENT_SECRET.

manicminer commented 1 year ago

As there are a number of issues being unintentionally conflated here, and because the original report is no longer relevant now that we have updated to a new authentication library, I'm going to close this one out as resolved.

If you encounter any authentication bugs using the latest version of the AzureRM provider, please feel free to open a new issue using the provided template. Please provide as much detail about your configuration as possible, to help a maintainer reproduce your issue. Thanks!

github-actions[bot] commented 1 year ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.