» Azure Provider: Authenticating using the Azure CLI

Terraform supports authenticating to Azure through a Service Principal or the Azure CLI.

We recommend using a Service Principal when running in a shared environment (such as within a CI server/automation) - and authenticating via the Azure CLI when you're running Terraform locally.

When the timezones az and terraform run in differ (for example when az is run inside docker, which defaults to UTC, and the system timezone where terraform runs is not UTC), terraform interprets the token differently from what az intended and may incorrectly determine the token to be stale and invalid.

When terraform and az are run on hosts / containers with different timezones, the variable $TZ should be set on the host.

When authenticating via the Azure CLI, Terraform will automatically connect to the Default Subscription - this can be changed by using the Azure CLI - and is documented below.

» Configuring the Azure CLI

This guide assumes that you have the Azure CLI 2.0 (Python) installed.

$ az cloud set --name AzureChinaCloud|AzureGermanCloud|AzureUSGovernment

Firstly, login to the Azure CLI using:

$ az login

This will prompt you to open a web browser, as shown below:

To sign in, use a web browser to open the page https://aka.ms/devicelogin and enter the code XXXXXXXX to authenticate.

Once logged in - it's possible to list the Subscriptions associated with the account via:

$ az account list

The output (similar to below) will display one or more Subscriptions - with the id field being the Subscription ID.

    "cloudName": "AzureCloud",
    "id": "00000000-0000-0000-0000-000000000000",
    "isDefault": true,
    "name": "PAYG Subscription",
    "state": "Enabled",
    "tenantId": "00000000-0000-0000-0000-000000000000",
    "user": {
      "name": "user@example.com",
      "type": "user"
$ az account set --subscription="SUBSCRIPTION_ID"

Also, if you have been authenticating with a service principal and you switch to Azure CLI, you must null out the ARM_* environment variables. Failure to do so causes errors to be thrown.