Azure Auth Chain
The Terraspace Azurerm Plugin can authenticate to the Azure REST API via the following mechanisms.
The Terraspace Azurerm Plugin makes use of the armrest gem library to achieve this.
Terraspace will authenticate to the Azure API with these environment variables:
ARM_CLIENT_ID ARM_CLIENT_SECRET ARM_TENANT_ID
ARM_CLIENT_IDis set, it will assume that
ARM_CLIENT_SECRETis also set.
ARM_TENANT_IDis also used if set. If
ARM_TENANT_IDis not set, it’ll try to get the value using
az account show
MSI: Managed Identity
The armrest library discovers whether or not MSI is available with an initial network call to
169.254.169.254/metadata/instance. So something like this:
curl --connect-timeout 0.5 -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-11-01"
Some notes about this metadata endpoint check:
- The network call to metadata/instance endpoint uses a low connect timeout setting of 0.5 seconds. This is done to prevent the overall auth chain from stalling when the API endpoint is unavailable on some systems. Other API calls to Azure have a connect and read timeout setting of 30s. Note: These timeout values may change, so check the source code.
- It caches the result to memory in a class variable, so it only checks it once per terraspace invocation.
- You can also disable MSI entirely by setting the environment variable
Terraspace authenticate via the az cli, by essentially calling:
az account get-access-token