data.azurerm_client_config.current has empty client_id, object_id and tenant_id when using Azure MSI
gevorg15 opened this issue ยท 16 comments
Community Note
- Please vote on this issue by adding a ๐ reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform (and AzureRM Provider) Version
terraform -v
Terraform v0.12.26
+ provider.azurerm v2.19.0
Affected Resource(s)
azurerm_client_config
Data
Terraform Configuration Files
provider "azurerm" {
version = "~> 2.0"
features {}
}
data azurerm_client_config current {}
output current_client_config {
value = data.azurerm_client_config.current
}
Debug Output
Panic Output
Expected Behavior
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
current_client_config = {
"client_id" = "00000000-0000-0000-0000-000000000000"
"id" = "2020-07-16 19:32:04.738092599 +0000 UTC"
"object_id" = "00000000-0000-0000-0000-000000000000"
"subscription_id" = "00000000-0000-0000-0000-000000000000"
"tenant_id" = "00000000-0000-0000-0000-000000000000"
}
Actual Behavior
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:
current_client_config = {
"client_id" = ""
"id" = "2020-07-16 19:32:04.738092599 +0000 UTC"
"object_id" = ""
"subscription_id" = "00000000-0000-0000-0000-000000000000"
"tenant_id" = ""
}
Steps to Reproduce
- Create a VM in azure with a Managed System Identity(MSI)
- Login to the newly created VM.
- Set required environment variables
export ARM_SUBSCRIPTION_ID=00000000-0000-0000-0000-000000000000 ARM_USE_MSI=true
terraform init
terraform apply
Important Factoids
The azure_client_config
data provider becomes useless since you're not able to retrieve any useful information.
References
- #0000
Hi @gevorg15 thanks for this issue and sorry for the delay of response.
According to this document, to get the MSI authentication working, you will have to set ARM_SUBSCRIPTION_ID
, ARM_USE_MSI=true
and ARM_TENANT_ID
or configurate them in the provider block like this:
provider "azurerm" {
features {}
use_msi = true
subscription_id = "..."
tenant_id = "..."
}
The MSI works fine (can manage resources) but if you want to access these (client_id
and object_id
) keys under azurerm_client_config
, the values are missing/empty.
Terraform 0.13.5
Provider 2.38.0
I have the same error with msi and in cloud shell (#6310).
This is the workaround logic I am using today in bash to retrieve the Object_Id and tenant_id regardless it is an Azure AD user, service principal, system msi or user assigned msi and inject them to Terraform as TF_VAR. Not ideal but working.
By running the terraform code snippet above in terraform I am expecting the object_id and tenant_id to be provided all the time regardless the authentication method.
My workaround was to hardwire the object ID & tenant ID in variables, and use them if they were unavailable from the data provider:
variable "default_admin_objectid" {
type = string
default = "00000000-0000-0000-0000-0000000000001" # My real AD acct objectid
description = "Active Directory object ID of admin for resources. Not used except at resource creation."
}
variable "default_ad_tenant_id" {
# Needed due to https://github.com/hashicorp/terraform-provider-azurerm/issues/7787
type = string
default = "00000000-0000-0000-0000-0000000000002" # My real AD acct tenantid
description = "Active Directory tenant ID. Only used when we can't autodetect."
}
locals {
# As running on Azure Cloudshell doesn't populate the user ObjectID or TenantID, we need the below workaround
# If length of returned object_id/tenantid > 0, use it, but if not, use the var.synapse_ad_admin_objectid
deploy_user_object_id = length(data.azurerm_client_config.current.object_id) > 0 ? data.azurerm_client_config.current.object_id : var.default_admin_objectid
deploy_user_tenant_id = length(data.azurerm_client_config.current.tenant_id) > 0 ? data.azurerm_client_config.current.tenant_id : var.default_ad_tenant_id
}
# Example usage
resource "azurerm_key_vault_access_policy" "kv-ro" {
key_vault_id = azurerm_key_vault.kv.id
tenant_id = local.deploy_user_tenant_id
object_id = local.deploy_user_object_id
secret_permissions = [
"Get", "List"
]
}
- I got same problem using Azure MSI:
[
{
"environmentName": "AzureCloud",
"homeTenantId": "...",
"id": "...",
"isDefault": true,
"managedByTenants": [],
"name": "...",
"state": "Enabled",
"tenantId": "...",
"user": {
"assignedIdentityInfo": "MSI",
"name": "systemAssignedIdentity",
"type": "servicePrincipal"
}
}
]
...
Error: expected "object_id" to be a valid UUID, got
with azurerm_key_vault_access_policy.client[0],
on main.tf line 152, in resource "azurerm_key_vault_access_policy" "client":
152: object_id = data.azurerm_client_config.current.object_id
time=2021-11-25T04:44:19Z level=error msg=1 error occurred:
* exit status 1
*
- Terraform (and AzureRM Provider) Version
azurerm: 2.86.0
Terraform: 1.0.5
Based on previous comment there was an external call to Az CLI to get the id. Unfortunately the 'az ad signed-in-user' was failing for me. So for anyone else stuck, I used:
data "external" "account_info" {
program = [
"az",
"identity",
"show",
"--resource-group",
azurerm_resource_group.main.name,
"--name",
var.user_assigned_ident_name,
"--query",
"{principal_id:principalId}",
]
}
and access it with:
the_id = data.external.account_info.result.principal_id
I was running into this error as well, and found that it's fixed in the 3.9.0 release. It's not directly in the release notes, but if you follow the breadcrumbs back to the go-azure-helpers patch that was pulled in, you can see the update.
I still get this issue with MSI:
terraform 1.2.2
azurerm provider 3.19.1
...
- Using hashicorp/time v0.7.2 from the shared cache directory
- Using hashicorp/random v3.3.1 from the shared cache directory
- Using hashicorp/azurerm v3.19.1 from the shared cache directory
...
Acquiring state lock. This may take a few moments...
data.azurerm_client_config.current: Reading...
data.azurerm_user_assigned_identity.identity[0]: Reading...
data.azurerm_subscription.current: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=2022-09-01 03:05:32.781347836 +0000 UTC]
data.azurerm_subscription.current: Read complete after 0s [id=/subscriptions/...]
data.azurerm_user_assigned_identity.identity[0]: Read complete after 1s [id=/subscriptions/../resourceGroups/mgmt-rg-upm-centralus-.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-...]
...
(and 5 more similar warnings elsewhere)
with azurerm_key_vault_access_policy.client[0],
on main.tf line 179, in resource \azurerm_key_vault_access_policy\ \client\:
179: object_id = data.azurerm_client_config.current.object_id
Error: expected \object_id\ to be a valid UUID, got
Releasing state lock. This may take a few moments...
time=2022-09-01T03:05:34Z level=error msg=1 error occurred:
\t* exit status 1
azure-cli 2.40.0
core 2.40.0
telemetry 1.0.8
Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1
Python location '/opt/homebrew/Cellar/azure-cli/2.40.0/libexec/bin/python'
Extensions directory '/Users/petr/.azure/cliextensions'
Python (Darwin) 3.10.6 (main, Aug 30 2022, 04:58:14) [Clang 13.1.6 (clang-1316.0.21.2.5)]
Legal docs and information: aka.ms/AzureCliLegal
still no fix to this from hashicorp side? I am still having similar issues with latest version of terraform and azurerm
This seems to be an issue when using System Managed identities as well till date.
AzureRm version used: 3.9.0
Azure CLI: 2.42.0
Any update?
It seems only
provider "azurerm" { features {} tenant_id = "tenantID" subscription_id = "subID" }
works and not
ARM_SUBSCRIPTION_ID: "subID" ARM_TENANT_ID: "tenantID"
Workaround to use azuread. Apparently it was solved via #16982 but can't find the solution in https://github.com/hashicorp/terraform-provider-azurerm/blob/v3.9.0/CHANGELOG.md.
Seems to be fixed in v3.44.1:
https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.44.1
#20523
I have tested it in a VM with User Assigned Managed Identity:
az login --identity > /dev/null
export ARM_USE_MSI=true
export ARM_SUBSCRIPTION_ID=$(az login --identity | jq -r '.[0] | .id')
export ARM_TENANT_ID=$(az login --identity | jq -r '.[0] | .tenantId')
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "= 3.44.1"
}
}
}
provider "azurerm" {
features {}
}
data azurerm_client_config current {}
output current_client_config {
value = data.azurerm_client_config.current
}
This error is generated logging in using username/password (via SAML auth); and via client_id/secret.
The workaround above with data.external.account_info only works if you are using a username/password auth.