How to configure multiple azurerm providers authenticated via system-assigned managed identity using environment variables

Question

I want to configure two azurerm providers using environment variables

I tried this:

variable "SUBSCRIPTION_ID" {
  description = "Subscription ID where resources will be deployed."
}

variable "TENANT_ID" {
  description = "Service Principal Tenant ID."
}

provider "azurerm" {
  subscription_id = var.SUBSCRIPTION_ID
  tenant_id       = var.TENANT_ID

  use_msi = true

  features {}
}

#################################################################
#                Tools provider
#################################################################

variable "TOOLS_SUBSCRIPTION_ID" {
  description = "Subscription ID where Tools are located,"
}

variable "TOOLS_TENANT_ID" {
  description = "Service Principal Tenant ID."
}

provider "azurerm" {
  alias           = "tools"
  subscription_id = var.TOOLS_SUBSCRIPTION_ID
  tenant_id       = var.TOOLS_TENANT_ID

  use_msi = true

  features {}
}

With defined :

• TF_VAR_SUBSCRIPTION_ID
• TF_VAR_TENANT_ID
• TF_VAR_TOOLS_SUBSCRIPTION_ID
• TF_VAR_TOOLS_TENANT_ID

I checked and all values are present. However I got this error:

│ Error: building AzureRM Client: 1 error occurred:
│   * A Client ID must be configured when authenticating as a Service Principal using a Client Secret.
│ 
│ 
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on providers.tf line 17, in provider "azurerm":
│   17: provider "azurerm" {
│ 
╵
╷
│ Error: building AzureRM Client: 1 error occurred:
│   * A Client ID must be configured when authenticating as a Service Principal using a Client Secret.
│ 
│ 
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"].tools,
│   on providers.tf line 48, in provider "azurerm":
│   48: provider "azurerm" {
│ 

The code was ran on Azure VM Scale set with assigned managed identity.

I made another test and I got the same error for single provider. It looks that something wrong is with passing variable via environment variable TF_VAR_name.

I use these versions:

• Terraform v1.0.11
• azurerm v2.98.0

Answer 1

The error indicates that the client_id argument for the provider has not been specified. When authenticating the AzureRM provider with service principal, you also need to specify a client_id, and then also either a secret or a certificate (unsure which you are targeting here).

provider "azurerm" {
  subscription_id = var.SUBSCRIPTION_ID
  tenant_id       = var.TENANT_ID
  client_id       = var.CLIENT_ID

  features {}
}

provider "azurerm" {
  alias           = "tools"
  subscription_id = var.TOOLS_SUBSCRIPTION_ID
  tenant_id       = var.TOOLS_TENANT_ID
  client_id       = var.TOOLS_CLIENT_ID

  features {}
}

This will resolve your issue, but you will also need to specify the client cert or secret as mentioned in the linked documentation above. Also, the use_msi argument is being ignored by the provider configuration, so the provider is understanding the authentication method as service principal instead of managed service identity.

Note also that for the default provider configuration, you can use native authentication environment variables like ARM_SUBSCRIPTION_ID instead of Terraform variables i.e. var.SUBSCRIPTION_ID.

Answer 2

I found that one of script set ARM_ACCESS_KEY and ARM_CLIENT_SECRET and becaue of this terrafrom considered this as Service Prinicpal authentication. Once I removed that part all works fine.