Dynamic Credentials with the Azure Provider
Important: Ensure you are using version 3.25.0 or later of the AzureRM provider and version 2.29.0 or later of the AzureAD provider as required OIDC functionality was introduced in these provider versions.
Important: If using self-managed agents, make sure you’re using v1.7.0 or later.
Warning: Dynamic Credentials with the Azure providers do not work when your TFE instance is using a custom or self-signed certificate due to restrictions on Azure's end.
You can use Terraform Cloud’s native OpenID Connect integration with Azure to get dynamic credentials for the AzureRM or AzureAD providers in your Terraform Cloud runs. Configuring the integration requires the following steps:
- Configure Azure: Set up a trust configuration between Azure and Terraform Cloud. Then, you must create Azure roles and policies for your Terraform Cloud workspaces.
- Configure Terraform Cloud: Add environment variables to the Terraform Cloud workspaces where you want to use Dynamic Credentials.
Once you complete the setup, Terraform Cloud automatically authenticates to Azure during each run. The Azure provider authentication is valid for the length of the plan or apply.
You must enable and configure an application and service principal with accompanying federated credentials and permissions on Azure. These instructions use the Azure portal, but you can also use Terraform to configure Azure. Refer to our example Terraform configuration.
Create an Application and Service Principal
Follow the steps mentioned in the AzureRM provider docs here: Creating the Application and Service Principal.
As mentioned in the documentation it will be important to make note of the
client_id for the application as you will use this later for authentication.
Note: you will want to skip the
“Configure Azure Active Directory Application to Trust a GitHub Repository” section as this does not apply here.
Grant the Application Access to Manage Resources in Your Azure Subscription
You must now give the created Application permission to modify resources within your Subscription.
Follow the steps mentioned in the AzureRM provider docs here: Granting the Application access to manage resources in your Azure Subscription.
Configure Azure Active Directory Application to Trust a Generic Issuer
Finally, you must create federated identity credentials which validate the contents of the token sent to Azure from Terraform Cloud.
Follow the steps mentioned in the AzureRM provider docs here: Configure Azure Active Directory Application to Trust a Generic Issuer.
The following information should be specified:
- Federated credential scenario: Must be set to
- Issuer: The address of Terraform Cloud (e.g., https://app.terraform.io).
- Important: make sure this value starts with https:// and does not have a trailing slash.
- Subject identifier: The subject identifier from Terraform Cloud that this credential will match. This will be in the form
run_phasecan be one of
- Name: A name for the federated credential, such as
tfc-plan-credential. Note that this cannot be changed later.
The following is optional, but may be desired:
- Audience: Enter the audience value that will be set when requesting the identity token. This will be
api://AzureADTokenExchangeby default. This should be set to the value of
TFC_AZURE_WORKLOAD_IDENTITY_AUDIENCEif this has been configured.
Note: because the
Subject identifier for federated credentials is a direct string match, two federated identity credentials need to be created for each workspace using dynamic credentials: one that matches
run_phase:plan and one that matches
Configure Terraform Cloud
You’ll need to set some environment variables in your Terraform Cloud workspace in order to configure Terraform Cloud to authenticate with Azure using dynamic credentials. You can set these as workspace variables.
Required Environment Variables
|Must be present and set to |
|The client ID for the Service Principal / Application used when authenticating to Azure.||Optional if |
Optional Environment Variables
You may need to set these variables, depending on your use case.
|Will be used as the |
|The client ID for the Service Principal / Application to use for the plan phase of a run.||Will fall back to the value of |
|The client ID for the Service Principal / Application to use for the apply phase of a run.||Will fall back to the value of |
Configure the AzureRM or AzureAD Provider
Make sure that you’re passing values for the
tenant_id arguments into the provider configuration block or setting the
ARM_TENANT_ID variables in your workspace.
Make sure that you’re not setting values for
oidc_token in the provider or setting any of