freundcloud

Service Principal in env

To securely authenticate Terraform to Azure, export your Service Principal credentials as environment variables. This is the recommended approach for automation, CI/CD, and cross-platform workflows (Linux, macOS, WSL, PowerShell).

Bash/Linux/WSL: Set Environment Variables

  1. Add the following to your ~/.bashrc or ~/.zshrc:

     export ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
 export ARM_TENANT_ID="<azure_subscription_tenant_id>"
 export ARM_CLIENT_ID="<service_principal_appid>"
 export ARM_CLIENT_SECRET="<service_principal_password>"

  2. Reload your shell configuration:

     source ~/.bashrc
 # or for zsh
 source ~/.zshrc

  3. Verify the environment variables:

     printenv | grep ^ARM

PowerShell: Set Environment Variables

  1. Set variables for the current session:

     $env:ARM_CLIENT_ID="<service_principal_app_id>"
 $env:ARM_SUBSCRIPTION_ID="<azure_subscription_id>"
 $env:ARM_TENANT_ID="<azure_subscription_tenant_id>"
 $env:ARM_CLIENT_SECRET="<service_principal_password>"

  2. Verify the variables:

     Get-ChildItem env:ARM_*

  3. Persist variables for all sessions: Add the export lines to your PowerShell profile.

Real-Life DevOps Example: GitHub Actions

Store your Service Principal credentials as GitHub Actions secrets, then use them in your workflow:

jobs:
  terraform:
    runs-on: ubuntu-latest
    env:
      ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
      ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
    steps:
      - uses: actions/checkout@v4
      - uses: hashicorp/setup-terraform@v3
      - run: terraform init
      - run: terraform apply -auto-approve

Best Practices

  • Never hardcode credentials in your Terraform code or repository
  • Use environment variables or secret managers for sensitive values
  • Rotate Service Principal credentials regularly
  • Grant only the minimum RBAC permissions needed

References

Tip: For passwordless authentication in CI/CD, consider using OIDC with GitHub Actions or Azure Pipelines.

Add to SUMMARY.md

- [Specify Service Principal Credentials in Environment Variables](pages/terraform/authenticate-terraform-to-azure/specify-service-principal-credentials-in-environment-variables.md)