Authenticating via a Service Principal and a Client Certificate tries to authenticate with Managed Identities and times out

[FrancescaRodricks]

https://github.com/Azure/terraform-provider-azapi/blob/main/docs/guides/service_principal_client_certificate.md#configuring-the-service-principal-in-terraform

I tried to run a similar setup https://github.com/thomast1906/thomasthorntoncloud-examples/blob/master/Terraform-OpenAI-ContentFilter-AzAPI/terraform/main.tf#L38 of code with provider version as below.

Provider version used - azure/azapi v1.14.0...

provider "azapi" {
  subscription_id             = var.subscription_id
  client_id                   = var.client_id
  client_certificate          = var.client_certificate
  client_certificate_password = var.client_certificate_password
  tenant_id                   = var.tenant_id
  use_cli                     = false
}

And had the following error when trying to create azapi_resource.

ChainedTokenCredential: failed to
│ acquire a token.
│ Attempted credentials:
│ 	managed identity timed out
│ 	AzureCLICredential: Azure CLI not found on path

So i tried to set managed identity based auth to false using the use_msi = false

provider "azapi" {
  subscription_id             = var.subscription_id
  client_id                   = var.client_id
  client_certificate          = var.client_certificate
  client_certificate_password = var.client_certificate_password
  tenant_id                   = var.tenant_id
  use_cli                     = false
  use_msi                     = false 
}

And ran into the following error

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Failed to obtain a credential.
│ 
│   with provider["registry.terraform.io/azure/azapi"],
│   on main.tf line 115, in provider "azapi":
│  115: provider "azapi" {
│ 
│ no credentials were successfully initialized
╵

Which indicates that service principal credentials are not being used.

Expected Behaviour - The provider should use the service principal rather that a managed identity

[ms-henglu]

Hi @FrancescaRodricks ,

Thank you for taking time to report this issue!

Please share the debug log to help us investigate.

Here's how:

1. Add the below environment variables:

TF_LOG=DEBUG
TF_LOG_PATH=./terraform.log

2. Run terraform plan command and the logs will be stored in the terraform.log file.

[alexey-ban]

same problem with version 1.15.0

[ms-henglu]

Hi @alexey-ban , are you having the same issue when authenticating with client certificate?

[dan-leanix]

@ms-henglu We have the same issue with provider version 2.1.0.

Using:

provider "azapi" {
  client_id                   = var.arm_client_id
  client_certificate          = var.arm_client_certificate
  client_certificate_password = var.arm_client_certificate_password
  tenant_id                   = var.arm_tenant_id
  subscription_id             = var.arm_subscription_id
}

Results in the error message:

Attempted credentials:
	AzureCLICredential: Azure CLI not found on path

But using the following provider config works. I assume that the credential object for the certificate is not built correctly or is just empty. Even with the correct parameters provided.

provider "azapi" {
  client_id                   = var.arm_client_id
  client_secret               = var.arm_client_secret
  client_certificate          = var.arm_client_certificate
  client_certificate_password = var.arm_client_certificate_password
  tenant_id                   = var.arm_tenant_id
  subscription_id             = var.arm_subscription_id
}

[ms-henglu]

Hi all,

I believe the cause is that the certificate format is not supported in the Azure Go SDK(tracked by Azure/azure-sdk-for-go#22906).

If you enable the debug logs by adding this environment variable "TF_LOG=DEBUG", and you encountered the blow error message:

2024-12-02T14:32:30.458+0800 [DEBUG] provider.terraform-provider-azapi: [DEBUG] building client certificate credential
2024-12-02T14:32:30.458+0800 [DEBUG] provider.terraform-provider-azapi: [DEBUG] reading certificate from file /Users/luheng/test1.pfx
2024-12-02T14:32:30.460+0800 [DEBUG] provider.terraform-provider-azapi: [DEBUG] failed to initialize client certificate credential: failed to load certificate": pkcs12: unknown digest algorithm: 2.16.840.1.101.3.4.2.1

Please try to use below command to export the pfx certificate file:

 openssl pkcs12 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -export -macalg sha1  -password pass:"{password}" -out ~/my.pfx -inkey
 ~/service-principal.key -in ~/service-principal.crt"

refs: https://discuss.hashicorp.com/t/azure-service-principal-client-certificate-error/32037?msclkid=9351d13bd12411ec96deb763dd60b7af

[dan-leanix]

@ms-henglu I will try it out today. Looking into this azurerm and azuread providers must use a different Azure Go SDK as the instructions on how to create the certificate have other values than you mention above.

[dan-leanix]

@ms-henglu The new export command is working. Thank you.