» Azure Active Directory Provider: Authenticating using Managed Service Identity
Terraform supports a number of different methods for authenticating to Azure:
- Authenticating to Azure using the Azure CLI
- Authenticating to Azure using Managed Service Identity (which is covered in this guide)
- Authenticating to Azure using a Service Principal and a Client Certificate
- Authenticating to Azure using a Service Principal and a Client Secret
We recommend using either a Service Principal or Managed Service Identity when running Terraform non-interactively (such as when running Terraform in a CI server) - and authenticating using the Azure CLI when running Terraform locally.
» What is Managed Service Identity?
Certain services within Azure (for example Virtual Machines and Virtual Machine Scale Sets) can be assigned an Azure Active Directory identity which can be used to access the Azure Subscription. This identity can then be assigned permissions to a Subscription, Resource Group or other resources using the Azure Identity and Access Management functionality - however by default no permissions are assigned.
Once a resource is configured with an identity, a local metadata service exposes credentials which can be used by applications such as Terraform.
» Configuring Managed Service Identity
The (simplified) Terraform Configuration below configures a Virtual Machine with Managed Service Identity, and then grants it Contributor access to the Subscription:
data "azuread_subscription" "current" {}
resource "azuread_virtual_machine" "test" {
# ...
identity = {
type = "SystemAssigned"
}
}
data "azuread_builtin_role_definition" "contributor" {
name = "Contributor"
}
resource "azuread_role_assignment" "test" {
name = "${azuread_virtual_machine.test.name}"
scope = "${data.azuread_subscription.primary.id}"
role_definition_id = "${data.azuread_subscription.subscription.id}${data.azuread_builtin_role_definition.contributor.id}"
principal_id = "${lookup(azuread_virtual_machine.test.identity[0], "principal_id")}"
}
» Configuring Managed Service Identity in Terraform
At this point we assume that Managed Service Identity is configured on the resource (e.g. Virtual Machine) being used - and that permissions have been assigned via Azure's Identity and Access Management system.
Terraform can be configured to use Managed Service Identity for authentication in one of two ways: using Environment Variables or by defining the fields within the Provider block.
You can configure Terraform to use Managed Service Identity by setting the Environment Variable ARM_USE_MSI to true; as shown below:
$ export ARM_USE_MSI=true
Using a Custom MSI Endpoint? In the unlikely event you're using a custom endpoint for Managed Service Identity - this can be configured using the ARM_MSI_ENDPOINT Environment Variable - however this shouldn't need to be configured in regular use.
Whilst a Provider block is technically optional when using Environment Variables - we'd strongly recommend defining one to be able to pin the version of the Provider being used:
provider "azuread" {
# Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
version = "=0.1.0"
}
More information on the fields supported in the Provider block can be found here.
At this point running either terraform plan or terraform apply should allow Terraform to run using Managed Service Identity.
It's also possible to configure Managed Service Identity within the Provider Block:
provider "azuread" {
# Whilst version is optional, we /strongly recommend/ using it to pin the version of the Provider being used
version = "=0.1.0"
use_msi = true
}
Using a Custom MSI Endpoint? In the unlikely event you're using a custom endpoint for Managed Service Identity - this can be configured using the msi_endpoint field - however this shouldn't need to be configured in regular use.
More information on the fields supported in the Provider block can be found here.
At this point running either terraform plan or terraform apply should allow Terraform to run using Managed Service Identity.