azurerm_client_config error listing Service Principals

[k1rk]

Error on getting data from azurerm_client_config
* data.azurerm_client_config.current: data.azurerm_client_config.current: Error listing Service Principals: autorest.DetailedError{Original:(*azure.RequestError)(0xc420619ef0), PackageType:"graphrbac.ServicePrincipalsClient", Method:"List", StatusCode:401, Message:"Failure responding to request", ServiceError:[]uint8(nil), Response:(*http.Response)(0xc420619e60)}

Terraform Version

Terraform v0.10.7
.
└── provider.azurerm 0.2.2

Affected Resource(s)

• data.azurerm_client_config

Terraform Configuration Files

provider "azurerm" {}

data "azurerm_client_config" "current" {}

output "account_id" {
  value = "${data.azurerm_client_config.current.account_id}"
}

Debug Output

[REMOVED]

Actual Behavior

failed to get any data

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform plan

Important Factoids

Tried both with az cli auth and service principal
i'm not an admin of whole account but have subscription owner role
list service principals from az cli successful with same credentials
az ad sp list

[tombuildsstuff]

Hey @k1rk

Thanks for opening this issue :)

Taking a quick look into this, at the current time this data source assumes you're using a Service Principal and as such will fail when using Azure CLI auth. That said - we should fix this so that's not the case, or at least displays a more helpful error message.

From what I can see, there's two separate errors which need to be fixed here:

• The documentation is incorrect as the field application_id doesn't exist (it's instead service_principal_application_id)
• The Data Source should be updated to work when using Azure CLI auth (by not pulling in the Service Principal specific details)

Would it be possible in the interim to know if you're able to access the Application ID via the service_principal_application_id field when authenticating via a Service Principal?

Thanks!

p.s. given the Gist posted above contains some sensitive data (the Authorization tokens), I've removed the link to it - however whilst these may have expired, I'd suggest deleting this if possible!

[tombuildsstuff]

Update: I've opened PR #393 which includes a fix for this :)

[k1rk]

Tried with Service Principal authentication, still no luck

provider "azurerm" {
  subscription_id = "90**********************************"
  client_id       = "http://**-TERRAFORM"
  client_secret   = "19**********************************"
  tenant_id       = "8c**********************************"
}

data "azurerm_client_config" "current" {}

output "application_id" {
  value = "${data.azurerm_client_config.current.service_principal_application_id}"
}

output

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.azurerm_client_config.current: Refreshing state...
Error refreshing state: 1 error(s) occurred:

* data.azurerm_client_config.current: 1 error(s) occurred:

* data.azurerm_client_config.current: data.azurerm_client_config.current: Error listing Service Principals: autorest.DetailedError{Original:(*azure.RequestError)(0xc4201f5a70), PackageType:"graphrbac.ServicePrincipalsClient", Method:"List", StatusCode:400, Message:"Failure responding to request", ServiceError:[]uint8(nil), Response:(*http.Response)(0xc4201f55f0)}

debug

https://gist.github.com/k1rk/a9c6f0b10882505d7be58981204f8542

[tombuildsstuff]

@k1rk in your example the ClientID isn't correct, it should be a GUID - in the response back from the Azure CLI:

$ az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/SUBSCRIPTION_ID"

{
  "appId": "00000000-0000-0000-0000-000000000000",
  "displayName": "azure-cli-2017-06-05-10-41-15",
  "name": "http://azure-cli-2017-06-05-10-41-15",
  "password": "0000-0000-0000-0000-000000000000",
  "tenant": "00000000-0000-0000-0000-000000000000"
}

The field appId is the ClientID - could you try with this value set instead?

Thanks!

[k1rk]

it's worked.
but interesting that everything else was working with such client id, this service principal name associated with this app.

az ad sp show --id 00000000-0000-0000-0000-000000000000
  {
    "appId": "00000000-0000-0000-0000-000000000000",
    "displayName": "**-TERRAFORM",
    "objectId": "00000000-0000-0000-0000-000000000000",
    "objectType": "ServicePrincipal",
    "servicePrincipalNames": [
      "http://**-TERRAFORM",
      "00000000-0000-0000-0000-000000000000"
    ]
  }

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!