hashicorp/terraform-provider-azurerm

data.azurerm_client_config.current has empty client_id, object_id and tenant_id when using Azure MSI

gevorg15 opened this issue ยท 16 comments

Community Note

  • Please vote on this issue by adding a ๐Ÿ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

terraform -v
Terraform v0.12.26
+ provider.azurerm v2.19.0

Affected Resource(s)

  • azurerm_client_config Data

Terraform Configuration Files

provider "azurerm" {
    version = "~> 2.0" 
    features {}
}

data azurerm_client_config current {}

output current_client_config {
    value = data.azurerm_client_config.current
}

Debug Output

Panic Output

Expected Behavior

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

current_client_config = {
  "client_id" = "00000000-0000-0000-0000-000000000000"
  "id" = "2020-07-16 19:32:04.738092599 +0000 UTC"
  "object_id" = "00000000-0000-0000-0000-000000000000"
  "subscription_id" = "00000000-0000-0000-0000-000000000000"
  "tenant_id" = "00000000-0000-0000-0000-000000000000"
}

Actual Behavior

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

current_client_config = {
  "client_id" = ""
  "id" = "2020-07-16 19:32:04.738092599 +0000 UTC"
  "object_id" = ""
  "subscription_id" = "00000000-0000-0000-0000-000000000000"
  "tenant_id" = ""
}

Steps to Reproduce

  1. Create a VM in azure with a Managed System Identity(MSI)
  2. Login to the newly created VM.
  3. Set required environment variables export ARM_SUBSCRIPTION_ID=00000000-0000-0000-0000-000000000000 ARM_USE_MSI=true
  4. terraform init
  5. terraform apply

Important Factoids

The azure_client_config data provider becomes useless since you're not able to retrieve any useful information.

References

  • #0000

Hi @gevorg15 thanks for this issue and sorry for the delay of response.

According to this document, to get the MSI authentication working, you will have to set ARM_SUBSCRIPTION_ID, ARM_USE_MSI=true and ARM_TENANT_ID or configurate them in the provider block like this:

provider "azurerm" {
  features {}

  use_msi = true
  subscription_id = "..."
  tenant_id = "..."
}

The MSI works fine (can manage resources) but if you want to access these (client_id and object_id) keys under azurerm_client_config, the values are missing/empty.
Terraform 0.13.5
Provider 2.38.0

I have the same error with msi and in cloud shell (#6310).

This is the workaround logic I am using today in bash to retrieve the Object_Id and tenant_id regardless it is an Azure AD user, service principal, system msi or user assigned msi and inject them to Terraform as TF_VAR. Not ideal but working.

https://github.com/aztfmod/rover/blob/4098ce32e46f854445ac85839125f21410b439fc/scripts/functions.sh#L807

By running the terraform code snippet above in terraform I am expecting the object_id and tenant_id to be provided all the time regardless the authentication method.

My workaround was to hardwire the object ID & tenant ID in variables, and use them if they were unavailable from the data provider:

variable "default_admin_objectid" {
  type = string
  default = "00000000-0000-0000-0000-0000000000001"  # My real AD acct objectid
  description = "Active Directory object ID of admin for resources. Not used except at resource creation."
}

variable "default_ad_tenant_id" {
  # Needed due to https://github.com/hashicorp/terraform-provider-azurerm/issues/7787
  type = string
  default = "00000000-0000-0000-0000-0000000000002"   # My real AD acct tenantid
  description = "Active Directory tenant ID. Only used when we can't autodetect."
}

locals {
  # As running on Azure Cloudshell doesn't populate the user ObjectID or TenantID, we need the below workaround
  # If length of returned object_id/tenantid > 0, use it, but if not, use the var.synapse_ad_admin_objectid
  deploy_user_object_id = length(data.azurerm_client_config.current.object_id) > 0 ? data.azurerm_client_config.current.object_id : var.default_admin_objectid
  deploy_user_tenant_id = length(data.azurerm_client_config.current.tenant_id) > 0 ? data.azurerm_client_config.current.tenant_id : var.default_ad_tenant_id
}

# Example usage
resource "azurerm_key_vault_access_policy" "kv-ro" {
  key_vault_id = azurerm_key_vault.kv.id
  tenant_id    = local.deploy_user_tenant_id
  object_id    = local.deploy_user_object_id

  secret_permissions = [
    "Get", "List"
  ]
}
  • I got same problem using Azure MSI:
[
  {
    "environmentName": "AzureCloud",
    "homeTenantId": "...",
    "id": "...",
    "isDefault": true,
    "managedByTenants": [],
    "name": "...",
    "state": "Enabled",
    "tenantId": "...",
    "user": {
      "assignedIdentityInfo": "MSI",
      "name": "systemAssignedIdentity",
      "type": "servicePrincipal"
    }
  }
]
...
Error: expected "object_id" to be a valid UUID, got 

  with azurerm_key_vault_access_policy.client[0],
  on main.tf line 152, in resource "azurerm_key_vault_access_policy" "client":
 152:   object_id    = data.azurerm_client_config.current.object_id

time=2021-11-25T04:44:19Z level=error msg=1 error occurred:
	* exit status 1
	*
  • Terraform (and AzureRM Provider) Version
    azurerm: 2.86.0
    Terraform: 1.0.5

Based on previous comment there was an external call to Az CLI to get the id. Unfortunately the 'az ad signed-in-user' was failing for me. So for anyone else stuck, I used:

data "external" "account_info" {
  program                      = [
                                 "az",
                                 "identity",
                                 "show",
                                 "--resource-group",
                                 azurerm_resource_group.main.name,
                                 "--name",
                                 var.user_assigned_ident_name,
                                 "--query",
                                 "{principal_id:principalId}",
                                 ]
}

and access it with:

the_id = data.external.account_info.result.principal_id

This issue appears to be present for azure cli 2.37.0 for ubuntu wsl (sudo apt install -y --allow-downgrades azure-cli=2.37.0-1~focal) but absent for 2.36.0.

Using Terraform 0.13.4 and Azure RM provider 2.54.0.

I was running into this error as well, and found that it's fixed in the 3.9.0 release. It's not directly in the release notes, but if you follow the breadcrumbs back to the go-azure-helpers patch that was pulled in, you can see the update.

I still get this issue with MSI:
terraform 1.2.2
azurerm provider 3.19.1

...
- Using hashicorp/time v0.7.2 from the shared cache directory
- Using hashicorp/random v3.3.1 from the shared cache directory
- Using hashicorp/azurerm v3.19.1 from the shared cache directory

...
Acquiring state lock. This may take a few moments...
data.azurerm_client_config.current: Reading...
data.azurerm_user_assigned_identity.identity[0]: Reading...
data.azurerm_subscription.current: Reading...
data.azurerm_client_config.current: Read complete after 0s [id=2022-09-01 03:05:32.781347836 +0000 UTC]
data.azurerm_subscription.current: Read complete after 0s [id=/subscriptions/...]
data.azurerm_user_assigned_identity.identity[0]: Read complete after 1s [id=/subscriptions/../resourceGroups/mgmt-rg-upm-centralus-.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-...]

...
(and 5 more similar warnings elsewhere)
  with azurerm_key_vault_access_policy.client[0],
  on main.tf line 179, in resource \azurerm_key_vault_access_policy\ \client\:

 179:   object_id    = data.azurerm_client_config.current.object_id


Error: expected \object_id\ to be a valid UUID, got 
Releasing state lock. This may take a few moments...
time=2022-09-01T03:05:34Z level=error msg=1 error occurred:
\t* exit status 1

image

azure-cli 2.40.0

core 2.40.0
telemetry 1.0.8

Dependencies:
msal 1.18.0b1
azure-mgmt-resource 21.1.0b1

Python location '/opt/homebrew/Cellar/azure-cli/2.40.0/libexec/bin/python'
Extensions directory '/Users/petr/.azure/cliextensions'

Python (Darwin) 3.10.6 (main, Aug 30 2022, 04:58:14) [Clang 13.1.6 (clang-1316.0.21.2.5)]

Legal docs and information: aka.ms/AzureCliLegal

still no fix to this from hashicorp side? I am still having similar issues with latest version of terraform and azurerm

This seems to be an issue when using System Managed identities as well till date.

AzureRm version used: 3.9.0
Azure CLI: 2.42.0

Any update?
It seems only

provider "azurerm" { features {} tenant_id = "tenantID" subscription_id = "subID" }

works and not

ARM_SUBSCRIPTION_ID: "subID" ARM_TENANT_ID: "tenantID"

Workaround to use azuread. Apparently it was solved via #16982 but can't find the solution in https://github.com/hashicorp/terraform-provider-azurerm/blob/v3.9.0/CHANGELOG.md.

Seems to be fixed in v3.44.1:
https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.44.1
#20523

I have tested it in a VM with User Assigned Managed Identity:
image

az login --identity > /dev/null
export ARM_USE_MSI=true
export ARM_SUBSCRIPTION_ID=$(az login --identity | jq -r '.[0] | .id')
export ARM_TENANT_ID=$(az login --identity | jq -r '.[0] | .tenantId')
terraform {

  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "= 3.44.1"
    }
  }
}

provider "azurerm" {
  features {}
}

data azurerm_client_config current {}

output current_client_config {
    value = data.azurerm_client_config.current
}

image

This error is generated logging in using username/password (via SAML auth); and via client_id/secret.

The workaround above with data.external.account_info only works if you are using a username/password auth.