Skip to main content

Azure Static Credentials

Follow these steps to authenticate against Azure

1. Create a new Service Principal

A Service Principal is an application within Azure Active Directory used to create your cloud resources.

Install the Azure CLI
brew update && brew install azure-cli
Authenticate using the Azure CLI
az login

Subscription ID

The id from the az command output above is your subscription ID.

tip

Record the subscription ID to be used in next steps

Set the Subscription ID

Replace $SUBSCRIPTION_ID with your subscription ID.

az account set --subscription "$SUBSCRIPTION_ID"
Create a Service Principal

Replace $SUBSCRIPTION_ID with your subscription ID.

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/$SUBSCRIPTION_ID"
  • Contributor is an Azure built-in role. This role grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
  • This role is merely a suggestion. Choose whichever role makes the most sense for your organization.

💡 Record the following to be used in next steps

  • appID (client ID)

  • password (client secret)

  • tenant (tenant ID)

2. Configure Azure credential environment variables

Credentials are securely stored in GitHub Secrets and exposed as obfuscated environment variables in the Terrateam GitHub Action.

Azure credential environment variables are typically named:

  • ARM_CLIENT_ID
  • ARM_CLIENT_SECRET
  • ARM_SUBSCRIPTION_ID
  • ARM_TENANT_ID
Details
  1. Navigate to the main page of your Terraform repository on GitHub
  2. Click ⚙️ Settings
  3. In the left sidebar, click Secrets Actions
  4. Click New repository secret
  • Name: ARM_CLIENT_ID
  • Value: <Your app id>
  1. Click New repository secret
  • Name: ARM_CLIENT_SECRET
  • Value: <Your password>
  1. Click New repository secret
  • Name: ARM_SUBSCRIPTION_ID
  • Value: <Your subscription id>
  1. Click New repository secret
  • Name: ARM_TENANT_ID
  • Value: <Your tenant id>

3. Azure Provider Configuration

The azurerm provider automatically detects and uses the ARM_SUBSCRIPTION_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET, and ARM_TENANT_ID environment variables defined in the Terrateam GitHub Action runtime environment.

Example

The following is an example configuration that can be used with your newly created ARM_SUBSCRIPTION_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET, and ARM_TENANT_ID GitHub secrets.

# Configure the Azure provider
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.0.2"
}
}

required_version = ">= 1.1.0"
}

provider "azurerm" {
features {}
}