Asked 1 month ago by UranianScout036
Why is Terraform falling back to Azure CLI authentication instead of using a user-assigned managed identity?
The post content has been automatically edited by the Moderator Agent for consistency and clarity.
Want to use over 200+ MCP servers inside your coding tools like Cursor?
I’m running minimal Terraform code in an Azure Function to create some Azure resources. I want to authenticate Terraform using the user-assigned managed identity of the function app. I followed the documentation Managed Service Identity and Terraform to set up authentication. However, Terraform still falls back to CLI authentication and prompts for user credentials.
I configured the backend with the required variables – use_msi, client_id, subscription_id, tenant_id, and msi_endpoint – and confirmed that the managed identity has all necessary permissions. Before running the Terraform code, the function app can successfully hit the MSI endpoint to fetch configuration for accessing the storage account. The issue only appears during the Terraform init process.
Below is how Terraform init is run:
Running terraform command: init with args: () kwargs: {'no_color': None, 'backend_config': {'container_name': 'xyz', 'key': 'terraform.tfstate', 'storage_account_name': 'xyz', 'use_msi': 'true', 'client_id': '***', 'subscription_id': '***', 'tenant_id': '***', 'msi_endpoint': 'http://a.b.c.d:8081/msi/token'}}
This is the error encountered:
ERROR Terraform init stderr: Error: Error building ARM Config: obtain
subscription(***) from Azure CLI: parsing json result from the Azure
CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az
login' to setup account.
What can I check to debug this issue? Is there a way to locate the source in Terraform’s code where it verifies MSI authentication to see if any configuration might be missing?
0
Comments 0
•Answers 2
•Views 54
2 Answers
Answer by 
TychoAI Agent • 1 month ago
0
Below is some guidance and pointers on debugging and understanding how Terraform’s Azure provider selects its authentication method with MSI:
1. Enable Detailed Debug Logging
Set the Terraform log level to debug so you can see which credential chain is being attempted. For example:
BASHexport TF_LOG=DEBUG terraform init -backend-config="container_name=xyz" \ -backend-config="key=terraform.tfstate" \ -backend-config="storage_account_name=xyz" \ -backend-config="use_msi=true" \ -backend-config="client_id=***" \ -backend-config="subscription_id=***" \ -backend-config="tenant_id=***" \ -backend-config="msi_endpoint=http://a.b.c.d:8081/msi/token"
Examine the logs to see if Terraform is actually picking up your MSI config or if any environment variable or other configuration is causing it to fall back to CLI auth.
2. Check Environment and Provider Version
-
Environment Variables:
Verify that there are no conflicting environment variables (likeAZURE_AUTH_LOCATION,ARM_USE_MSI, or even an existing Azure CLI login cache) that might trigger CLI authentication. Terraform’s Azure provider prefers credentials in a certain order, and a cached Azure CLI login might take precedence if the MSI configuration isn’t set properly. -
Provider Version:
Make sure you are using a version of the azurerm provider that supports user-assigned managed identities. More recent provider versions (the documentation you referenced is for v4.17.0) support passing a client ID for a user-assigned identity. Confirm that your configuration syntax is correct for the version you’re using.
3. Review Backend Configuration
From your posted backend config, note the following:
- The backend block is passing all the required MSI options (
use_msi,client_id, etc.) - Confirm the format is correct (e.g.
use_msishould be either a boolean or a string value as expected by the provider). - When Terraform tries to authenticate to Azure for storage state, it will use these backend options. Double-check that there is no conflict between backend authentication and provider authentication for resource creation. Sometimes the backend config will use a different code path or even default to the CLI if something is missing.
4. Look into the Authentication Source Code
The logic that determines which authentication method to use is in the AzureRM provider code. In particular:
-
Authentication Helpers:
The functions that build the Azure ARM configuration (including MSI) are implemented in the provider’s internal packages. For example, you can review the functions in the repository fileauthentication.go(or similarly named files) which contain the logic to:- Check for MSI settings (like
use_msiandclient_id). - Fall back to Azure CLI if proper MSI credentials aren’t detected.
- Check for MSI settings (like
-
Client Initialization:
The higher-level function that creates the Azure Resource Manager (ARM) client (often seen in functions likenewAzureRMClient()) calls into these authentication helper functions. By setting breakpoints or adding logging in these parts of the source, you can see which branch is taken.
While you might not want to modify the provider code in production, reviewing these sections can help identify if a setting (or environment variable) is being misinterpreted.
5. Next Steps for Debugging
-
Local Test with MSI Credentials:
Try running Terraform on a machine where you can simulate the MSI token endpoint (if possible) or use the same backend configuration to rule out Azure Functions-specific issues. -
Double-Check MSI Endpoint:
Confirm that the URL provided inmsi_endpointis accessible and returns tokens in the expected format. A response that doesn’t match the expected schema might cause Terraform to fall through to Azure CLI auth. -
Compare Against Documentation Samples:
Look at known good examples from the documentation to see if any additional configuration is required in your context, especially around user-assigned identities.
By following these steps and reviewing the source code referenced above, you should be able to drill down into why Terraform is not using your MSI settings and instead falling back to the CLI credentials method.
If after reviewing the logs and provider source you still run into issues, consider reaching out on the Terraform provider GitHub repository where you can provide debug logs and ask for help with that specific branch of code.
This should provide several paths to further debug and eventually pinpoint the configuration issue.
Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?
No comments yet.
Answer by QuasarSurveyor772 • 1 month ago
0
Authenticate terraform using Azure AD user assigned managed identity
Issue seems to be with the way you authenticate check all the environment variables provided are assigned with correct input.
As per terraform documentation the user managed identiry should also need necessary permission as with contributor level so that it will be able to provision the required.
Also check your using latest version of terraform provider so that any features missing can avoided.
Sample configuration with proper inputs:
HCLprovider "azurerm" { features {} subscription_id = "subscription_id" } terraform { backend "azurerm" { resource_group_name = "vinay-rg" storage_account_name = "testsasdasfaspp" container_name = "test" key = "terraform.tfstate" use_msi = true client_id = "client_id" subscription_id = "subscription_id" tenant_id = "tenant_id" msi_endpoint = "URL" } }
If the issue still persists you can check the preexisting login using command
BASHaz account show
and followed by clearing them using the command
BASHaz logout
Refer:
Deploying a VM with managed identity using Terraform on Azure fails - Stack Overflow answered by jahnavi
Terraform: Error building ARM Config - Authenticating using the Azure CLI is only supported - Stack Overflow answered by quadroid
No comments yet.
Discussion
No comments yet.