Azure Managed Identity and Terraform not working in AzureUSGoverment
I am trying to use a managed-identity to authenticate to Azure and run terraform from a virtual machine in the AzureUSGovernment cloud. I've followed the guide found here to configure terraform to use a managed-identity.
However whenever I run terraform apply/plan etc I see the following error:
│ Error: Unable to list provider registration status, it is possible that this is due to invalid credentials or the service principal does not have permission to use the Resource Manager API, Azure error: resources.ProvidersClient#List: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="SubscriptionNotFound" Message="The subscription 'xxxxxxxxx-xxxx-xxxxx-xxxxx-xxxxxxxxxxx' could not be found."
(xxxxxxxxx-xxxx-xxxxx-xxxxx-xxxxxxxxxxx is me redacting the subscription-id)
Below is a snippet of my configuration and my workflow/process for bootstrapping:
- Create a Virtual Machine with a managed identity, assign it the
Ownerrole (just for testing purposes) - Run
az cloud set -n AzureUSGovernment - Run
az login --identity - Run the terraform code.
Other Important Things to Note:
- The exact same configuration/process works just fine in Azure Commercial.
- Running
azcommands from the VM works just fine (I have RBAC permissions to do things in the account) - Here is my
provider.tf:
provider "azurerm" {
features {}
use_msi = true
subscription_id = "MYSUB-ID"
tenant_id = "MYTENANT-ID"
}
Any help is super appreciated! Thanks!
I tried testing it using my environment and I got the exact same error as you are getting :
Note: This is because the the subscription I am using is not on Azure Government cloud instead its in Azure Cloud. Please make sure you are using the correct subscription for which you have created the managed identity and the ensure the environment its in.
And , After you checked the subscription and environment , you can skip these steps :
Run az cloud set -n AzureUSGovernment
Run az login --identity
Instead you can directly use the the terraform code:
provider "azurerm" {
features {}
use_msi = true
subscription_id = "948d4068-xxxx-xxxxxx-xxxxxxx-xxxxxxxx"
tenant_id = "72f988bf-xxxx-xxxxx-xxxxxx-xxxxxxxxx"
environment = "usgovernment"
}
resource "azurerm_resource_group" "test" {
name="xterraformtest12345"
location ="east us"
}
Note:
If your subscription is in public then there is no need to set the environment and if its in some other then you can set the environment as required.
Output: After removing the environment as the subscription is in public cloud
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?