freundcloud

Authenticate Terraform to Azure

Using bash:

  1. To create a service principal, sign in to Azure. A

  2. If you’re creating a service principal from Git Bash, set the MSYS_NO_PATHCONV environment variable. (This step isn’t necessary if you’re using Cloud Shell.)

    BashCopy 3.

    bash export MSYS_NO_PATHCONV=1 plaintext

    Key points:

    • You can set the MSYS_NO_PATHCONV environment variable globally (for all terminal sessions) or locally (for just the current session). As creating a service principal isn’t something you do often, the sample sets the value for the current session. To set this environment variable globally, add the setting to the ~/.bashrc file.
  3. To create a service principal, run az ad sp create-for-rbac.

Azure CLICopy

bash az ad sp create-for-rbac --name <service_principal_name> --role Contributor --scopes /subscriptions/<subscription_id> plaintext

  1. Key points:
    • You can replace the <service-principal-name> with a custom name for your environment or omit the parameter entirely. If you omit the parameter, the service principal name is generated based on the current date and time.
    • Upon successful completion, az ad sp create-for-rbac displays several values. The appId, password, and tenant values are used in the next step.
    • The password can’t be retrieved if lost. As such, you should store your password in a safe place.
    • For this article, a service principal with a Contributor role is being used. For more information about Role-Based Access Control (RBAC) roles.
    • The output from creating the service principal includes sensitive credentials. Be sure that you don’t include these credentials in your code or check the credentials into your source control.

Using Powershell:

  1. Open a PowerShell prompt.
  2. Run Connect-AzAccount.

PowerShellCopy

powershell Connect-AzAccount plaintext

Key points:

  • Upon successful sign in, Connect-AzAccount displays information about the default subscription.
  • Make note of the TenantId as it’s needed to use the service principal.
  1. To confirm the current Azure subscription, run Get-AzContext.

PowerShellCopy

powershell Get-AzContext plaintext

  1. To view all enabled Azure subscriptions for the logged-in Microsoft account, run Get-AzSubscription.

Azure CLICopy

azurecli Get-AzSubscription plaintext

  1. To use a specific Azure subscription, run Set-AzContext.

PowerShellCopy

powershell Set-AzContext -Subscription "<subscription_id_or_subscription_name>" plaintext

Key points:

  • Replace the <subscription_id_or_subscription_name> placeholder with the ID or name of the subscription you want to use.
  1. Run New-AzADServicePrincipal to create a new service principal.

PowerShellCopy

powershell $sp = New-AzADServicePrincipal -DisplayName <service_principal_name> -Role "Contributor" plaintext

Key points:

  • You can replace the <service-principal-name> with a custom name for your environment or omit the parameter entirely. If you omit the parameter, the service principal name is generated based on the current date and time.
  • The Contributor role is being used. For more information about Role-Based Access Control (RBAC) roles.
  1. Display the service principal ID.

PowerShellCopy

powershell $sp.AppId plaintext

Key points:

  • Make note of the service principal application ID as it’s needed to use the service principal.
  1. Get the autogenerated password to text.

PowerShellCopy

powershell $sp.PasswordCredentials.SecretText plaintext

  1. Key points:
    • Make note of the password as it’s needed to use the service principal.
    • The password can’t be retrieved if lost. As such, you should store your password in a safe place. If you forget your password, you can reset the service principal credentials.