Trying to authenticate with Azure using User Managed Identity fails with 401

Question

I have terraform code that authenticates with a Service Principal using ARM_... env variables.

Now I need to run a piece of configuration using the Managed identity assigned to the build agent VM.

My TF code is:

provider "azurerm" {
  features {}
  alias                      = "ss101"
  use_msi                    = true
  client_id                  = "3...5"
  subscription_id            = "6...2"
  skip_provider_registration = true
}

module "vnet-peering" {
  for_each = local.app_vnets
  source   = "./vnet-peering"
  app_vnet = module.vnets[each.value.location].vnets[each.value.key]

  providers = {
    azurerm.ss101 = azurerm.ss101
  }
}

I added client_secret = null in an unsuccessful attempt to resolve the error I get:

│ Error: building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '3...5'.\r\nTrace ID: b55484dd-8dec-4b6f-89e4-6b22e24a2000\r\nCorrelation ID: 67880b22-e6e8-4382-8378-7b9ea8702cdd\r\nTimestamp: 2023-03-17 19:21:20Z","error_codes":[7000215],"timestamp":"2023-03-17 19:21:20Z","trace_id":"b55484dd-8dec-4b6f-89e4-6b22e24a2000","correlation_id":"67880b22-e6e8-4382-8378-7b9ea8702cdd","error_uri":"https://login.microsoftonline.com/error?code=7000215"}
│ 
│   with module.bootstrap.provider["registry.terraform.io/hashicorp/azurerm"].ss101,
│   on .terraform/modules/bootstrap/main.tf line 185, in provider "azurerm":
│  185: provider "azurerm" {

I suspect the credentials I inject through the environment may interfere with the MSI authentication. I tried to pass client_secret = null, but it has no effect.

How can I troubleshoot it?

Answer 1

Tried the code like below

provider "azurerm" {

  features {
    resource_group {
      prevent_deletion_if_contains_resources = false
    }

  }
   use_msi = true
   client_id                  = "abf1166e-xxx"
  //client_secret              = "pym8Q~xxx"
  client_secret              = "null"
   tenant_id = "3f5xxxxxx"
  subscription_id            = "xxxx"
  skip_provider_registration = true
}

I was getting errors , when I dint mention proper client scret value.

With some random client_secret value:

Error: building account: getting authenticated object ID: listing Service Principals: ServicePrincipalsClient.BaseClient.Get(): clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'abf1166xxxx

With client_secret= null:

Error: building account: getting authenticated object ID: listing Service Principals: ServicePrincipalsClient.BaseClient.Get(): clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'abf1166e-xxxx’

Note: Just use environment variables and give provider block to mention the version only:

export ARM_USE_MSI=true
export ARM_SUBSCRIPTION_ID=1x5-xxxxx-xxxx-xxxx-xxxxxxxxxxxx
export ARM_TENANT_ID=72xxf-xxxx-xxxx-xxxx-xxxxxxxxxxxx
export ARM_CLIENT_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx # only necessary for user assigned identity

....

Provider block includes only version:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.0.0"
    }
  }
}

Configure the Microsoft Azure Provider

provider "azurerm" {
  features {}
}

Or

Use provider block only with the subscription parameters .

Client secret value taken from the app registration, certificates & secrets if needed otherwise clientid and secret need not be mentioned and only use_msi=true

When I used below code, it worked for me:

provider "azurerm" {
  //subscription_id = "b83xxx23f"
  //tenant_id              = "72fxxx"
  features {
    resource_group {
      prevent_deletion_if_contains_resources = false
    }

  }
   use_msi = true
   client_id                  = "abfxcd9"xxx
  client_secret              = "pym8Q~xxxx"
  //client_secret              = "null"
   tenant_id = "xxx"
  subscription_id            = "xxxx"
  skip_provider_registration = true
}


resource "azurerm_user_assigned_identity" "example" {
 resource_group_name = data.azurerm_resource_group.example.name
  location                 = data.azurerm_resource_group.example.location
  name                = "example"
  
}

resource "azurerm_storage_account" "example" {
  name                     = "exkavyastacc"
  resource_group_name      = data.azurerm_resource_group.example.name
  location                 = "eastus"
  account_tier             = "Standard"
  account_replication_type = "LRS"

  identity {
    type = "UserAssigned"
    identity_ids = [
      azurerm_user_assigned_identity.example.id
    ]
  }
}

You can enable a managed identity on an Azure VM with an identity block.

Note: make sure the managed identity have role to access the resource like owner role , storage blob data contributor

Reference : Azure Provider: Authenticating via Managed Identity | Guides | hashicorp/azurerm | Terraform Registry