如何使用环境变量配置通过系统分配的托管标识进行身份验证的多个 azurerm 提供程序
我想使用 环境变量 配置两个 azurerm 提供程序
我尝试了以下操作:
variable "SUBSCRIPTION_ID" {
description = "Subscription ID where resources will be deployed."
}
variable "TENANT_ID" {
description = "Service Principal Tenant ID."
}
provider "azurerm" {
subscription_id = var.SUBSCRIPTION_ID
tenant_id = var.TENANT_ID
use_msi = true
features {}
}
#################################################################
# Tools provider
#################################################################
variable "TOOLS_SUBSCRIPTION_ID" {
description = "Subscription ID where Tools are located,"
}
variable "TOOLS_TENANT_ID" {
description = "Service Principal Tenant ID."
}
provider "azurerm" {
alias = "tools"
subscription_id = var.TOOLS_SUBSCRIPTION_ID
tenant_id = var.TOOLS_TENANT_ID
use_msi = true
features {}
}
定义:
TF_VAR_SUBSCRIPTION_IDTF_VAR_TENANT_IDTF_VAR_TOOLS_SUBSCRIPTION_IDTF_VAR_TOOLS_TENANT_ID
我检查过,所有值都存在。但是我收到此错误:
│ Error: building AzureRM Client: 1 error occurred:
│ * A Client ID must be configured when authenticating as a Service Principal using a Client Secret.
│
│
│
│ with provider["registry.terraform.io/hashicorp/azurerm"],
│ on providers.tf line 17, in provider "azurerm":
│ 17: provider "azurerm" {
│
╵
╷
│ Error: building AzureRM Client: 1 error occurred:
│ * A Client ID must be configured when authenticating as a Service Principal using a Client Secret.
│
│
│
│ with provider["registry.terraform.io/hashicorp/azurerm"].tools,
│ on providers.tf line 48, in provider "azurerm":
│ 48: provider "azurerm" {
│
代码是在具有分配的托管标识的 Azure VM 规模集上运行的。
我进行了另一次测试,对于单个提供商,我得到了相同的错误。看来通过环境变量 TF_VAR_name 传递变量有问题。
我使用这些版本:
- Terraform v1.0.11
- azurerm v2.98.0
I want to configure two azurerm providers using environment variables
I tried this:
variable "SUBSCRIPTION_ID" {
description = "Subscription ID where resources will be deployed."
}
variable "TENANT_ID" {
description = "Service Principal Tenant ID."
}
provider "azurerm" {
subscription_id = var.SUBSCRIPTION_ID
tenant_id = var.TENANT_ID
use_msi = true
features {}
}
#################################################################
# Tools provider
#################################################################
variable "TOOLS_SUBSCRIPTION_ID" {
description = "Subscription ID where Tools are located,"
}
variable "TOOLS_TENANT_ID" {
description = "Service Principal Tenant ID."
}
provider "azurerm" {
alias = "tools"
subscription_id = var.TOOLS_SUBSCRIPTION_ID
tenant_id = var.TOOLS_TENANT_ID
use_msi = true
features {}
}
With defined :
TF_VAR_SUBSCRIPTION_IDTF_VAR_TENANT_IDTF_VAR_TOOLS_SUBSCRIPTION_IDTF_VAR_TOOLS_TENANT_ID
I checked and all values are present. However I got this error:
│ Error: building AzureRM Client: 1 error occurred:
│ * A Client ID must be configured when authenticating as a Service Principal using a Client Secret.
│
│
│
│ with provider["registry.terraform.io/hashicorp/azurerm"],
│ on providers.tf line 17, in provider "azurerm":
│ 17: provider "azurerm" {
│
╵
╷
│ Error: building AzureRM Client: 1 error occurred:
│ * A Client ID must be configured when authenticating as a Service Principal using a Client Secret.
│
│
│
│ with provider["registry.terraform.io/hashicorp/azurerm"].tools,
│ on providers.tf line 48, in provider "azurerm":
│ 48: provider "azurerm" {
│
The code was ran on Azure VM Scale set with assigned managed identity.
I made another test and I got the same error for single provider. It looks that something wrong is with passing variable via environment variable TF_VAR_name.
I use these versions:
- Terraform v1.0.11
- azurerm v2.98.0
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
该错误表明尚未指定提供程序的
client_id参数。使用服务主体对 AzureRM 提供程序进行身份验证时,您还需要指定一个client_id,然后还需要指定一个密钥或一个证书(不确定您在此处的目标是哪一个)。这将解决您的问题,但您还需要指定上面链接文档中提到的客户端证书或机密。此外,提供程序配置会忽略 use_msi 参数,因此提供程序将身份验证方法理解为服务主体而不是托管服务身份。
另请注意,对于默认提供程序配置,您可以使用本机身份验证环境变量(如
ARM_SUBSCRIPTION_ID),而不是 Terraform 变量(即var.SUBSCRIPTION_ID)。The error indicates that the
client_idargument for the provider has not been specified. When authenticating the AzureRM provider with service principal, you also need to specify aclient_id, and then also either a secret or a certificate (unsure which you are targeting here).This will resolve your issue, but you will also need to specify the client cert or secret as mentioned in the linked documentation above. Also, the
use_msiargument is being ignored by the provider configuration, so the provider is understanding the authentication method as service principal instead of managed service identity.Note also that for the default provider configuration, you can use native authentication environment variables like
ARM_SUBSCRIPTION_IDinstead of Terraform variables i.e.var.SUBSCRIPTION_ID.我发现脚本集
ARM_ACCESS_KEY和ARM_CLIENT_SECRET之一,并且由于这个 terrafrom 将其视为服务主体身份验证。一旦我删除了该部分,一切正常。I found that one of script set
ARM_ACCESS_KEYandARM_CLIENT_SECRETand becaue of this terrafrom considered this as Service Prinicpal authentication. Once I removed that part all works fine.