Support for Azure Workload Identity Authentication

[mfortin]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I would like support for authenticating using Azure Workload Identity

Terraform is being executed from inside a docker container running on Amazon EKS and Azure Workload Identity is available to make credentials available to terraform.

The environment variables expected do not match the ones provided for existing authentication methods.

AZURE_AUTHORITY_HOST           https://login.microsoftonline.com/
AZURE_CLIENT_ID                <My App UUID>
AZURE_FEDERATED_TOKEN_FILE     </path/to/token>
AZURE_TENANT_ID                <My Tenant UUID>

My expectation is that support for existing authentication library could be easily used. See MSAL as an example.

New or Affected Resource(s)/Data Source(s)

azurerm

Potential Terraform Configuration

provider "azurerm" {
  features {}

  use_msal = true
}

References

No response

[mfortin]

Missed it from documentation

[kabal2010]

@mfortin
This is the same things as using OIDC for authentication as detailed in https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc. To test from a POD running in the AKS cluster, set environments variable like as below and it should work.

export ARM_OIDC_TOKEN=$(cat $AZURE_FEDERATED_TOKEN_FILE)
export ARM_CLIENT_ID=$AZURE_CLIENT_ID
export ARM_TENANT_ID=$AZURE_TENANT_ID

I've tested this and can confirm it worked with a configuration shown below.

provider "azurerm" {
  features {}
  use_oidc        = true
  subscription_id = "82d66c37-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}

resource "azurerm_resource_group" "resource_group1" {
  name     = "workload-identity1"
  location = "northeurope"
}

The authentication part of the terraform plan output is as shown below.

2022-10-16T07:26:32.766Z [INFO]  provider.terraform-provider-azurerm_v3.27.0_x5: Testing if Service Principal / Client Certificate is applicable for Authentication..: timestamp=2022-10-16T07:26:32.765Z
2022-10-16T07:26:32.766Z [INFO]  provider.terraform-provider-azurerm_v3.27.0_x5: Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..: timestamp=2022-10-16T07:26:32.765Z
2022-10-16T07:26:32.766Z [INFO]  provider.terraform-provider-azurerm_v3.27.0_x5: Testing if Service Principal / Client Secret is applicable for Authentication..: timestamp=2022-10-16T07:26:32.765Z
2022-10-16T07:26:32.766Z [INFO]  provider.terraform-provider-azurerm_v3.27.0_x5: Testing if OIDC is applicable for Authentication..: timestamp=2022-10-16T07:26:32.765Z
2022-10-16T07:26:32.766Z [INFO]  provider.terraform-provider-azurerm_v3.27.0_x5: Using OIDC for Authentication: timestamp=2022-10-16T07:26:32.765Z
2022-10-16T07:26:32.766Z [INFO]  provider.terraform-provider-azurerm_v3.27.0_x5: Getting OAuth config for endpoint https://login.microsoftonline.com with  tenant 558c8bf0-xxxx-xxxx-xxxx-xxxxxxxxxxxx: timestamp=2022-10-16T07:26:32.765Z    
2022-10-16T07:26:32.944Z [INFO]  provider.terraform-provider-azurerm_v3.27.0_x5: authenticated object ID cache miss, populating with: "f4a9e30c-b5f1-42cf-9de8-44d7a4747462": timestamp=2022-10-16T07:26:32.944Z
2022-10-16T07:26:32.944Z [INFO]  provider.terraform-provider-azurerm_v3.27.0_x5: Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant 558c8bf0-xxxx-xxxx-xxxx-xxxxxxxxxxxx: timestamp=2022-10-16T07:26:32.944Z   
2022-10-16T07:26:32.944Z [DEBUG] provider.terraform-provider-azurerm_v3.27.0_x5: Genereated Provider Correlation Request Id: 32c6c78b-721a-7d1c-1241-7a7e9e412efc: timestamp=2022-10-16T07:26:32.944Z
2022-10-16T07:26:33.051Z [DEBUG] provider.terraform-provider-azurerm_v3.27.0_x5: AzureRM Request:
GET /subscriptions/82d66c37-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers?api-version=2016-02-01 HTTP/1.1
Host: management.azure.com
User-Agent: Go/go1.18.5 (amd64-linux) go-autorest/v14.2.1 Azure-SDK-For-Go/v66.0.0 resources/2016-02-01 HashiCorp Terraform/1.3.2 (+https://www.terraform.io) Terraform Plugin SDK/2.10.1 terraform-provider-azurerm/dev pid-222c6c49-1b0a-5959-a213-6608f9eb8820
X-Ms-Authorization-Auxiliary:
X-Ms-Correlation-Request-Id: 32c6c78b-721a-7d1c-1241-7a7e9e412efc
Accept-Encoding: gzip: timestamp=2022-10-16T07:26:33.051Z

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # azurerm_resource_group.resource_group1 will be created
  + resource "azurerm_resource_group" "resource_group1" {
      + id       = (known after apply)
      + location = "northeurope"
      + name     = "workload-identity1"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

[mfortin]

That's why I closed this issue, it is clearly documented and I overlooked it.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.