3 min read

This article will show how to authenticate terraform using Azure Service Principal.

But, before we start, let`s see some background on what we do for our known AWS, so that we can easily relate what we are doing and what are we trying to achieve.

To authenticate terraform with aws, we do something like this

• We create an IAM user for programmatic access with admin access and make a note of the access/secret key

• On the client machine(terraform host), create a profile `aws configure –profile tf-user` with the above access/secret key and

• then when we create terraform provider, we add that profile for tf to authenticate with AWS

provider "aws" {

region = "ap-south-1"

profile = "tf-user"

}

Now, if we understood what are we going to achieve, then let`s move to get the same for Azure cloud.

How TF authenticate with Azure cloud?

• First we have to create an identity (Service Principal) on azure & then
• add that to tf provider for azure

To create a Service Principal(Identity) in Azure via the Azure Portal, follow these steps:

1.Register an app in Azure (terraform)

– Log in to Azure Portal: portal.azure.com and login

– Navigate to Azure Active Directory (Entra ID):click on App registrations from the left side

– Click on New registration at the top.

– Fill in the App Registration Details:

2. Generate a Client Secret:

– click on the created app (for our case its terraform)

– In the left-hand menu, under Manage, click on Certificates & secrets.

– Under the Client secrets section, click New client secret.

– Provide a description (e.g., Terraform secret) and select an expiry period (Example: 1 year, 2 years).

– Click Add.

– The secret value will be generated and displayed.

– Copy this value immediately and save it in a secure place, as this won’t be able to available once we leave the page.

• This will be the client secret.

3. Get the Application (Client) ID and Directory (Tenant) ID:

– Navigate back to the Overview section of the App Registration.

– Copy these

– Application (client) ID: This is the unique identifier for the Service Principal (copy and save it).

– Directory (tenant) ID: This is your Azure AD tenant ID (copy and save it).

4. Assign Required Role to the Service Principal: (Subscription Level)

– Now that we have the Service Principal (App Registration terraform app) created, we need to give it the proper permissions to manage resources (Eample : AKS, or other Azure services).

– Go to the Subscriptions section in the portal. we need to give IAM access to that app in the subscription level

– Select the subscription where the resources(aks or other azure resources) needs to be deployed using Terraform.

– On the left-hand menu, select Access control (IAM).

– Click on + Add → Add role assignment.

– Choose the appropriate role:

– For AKS: Contributor or Owner (generally we use this role).

– For Terraform, Contributor is often sufficient.

– In the Assign access to dropdown, select User, group, or service principal.

– Search for the name of the Service Principal (the name of the app registration you created earlier).

– Select the Service Principal, and then click Save. (See the image below)

Add this Service Principle account into the terraform provider

provider "azurerm" {

# Configuration options

subscription_id = "618674c"

client_id = "23ce2"

client_secret = "hHHbwW"

tenant_id = "6f864"

features {}

}

– Now the TF can be authenticated with Azure to interact with, through API