Azure Dynamic Provider Credentials
To use Azure Dynamic Provider Credentials to authenticate to Azure without storing any sensitive credential in a workspace please use the following:
Register Application
We need to register a new application in Microsoft Entra like the following example:
Once we have the application we need to add a federated credential.
Select type "Other" and fill the following information:
Subject: organization:MY_ORGANIZATION_NAME:workspace:MY_WORKSPACE_NAME
Audience: api://AzureADTokenExchange
You need to grant access to your azure resources to the application, for example "Contributor" or any other role
Inside our workspace you will have to add the following environment variables
ARM_TENANT_ID=YOUR AZURE TENANT ID
ARM_SUBSCRIPTION_ID=YOUR AZURE SUBSCRIPTION ID
ARM_CLIENT_ID=YOUR AZURE APPLICATION ID
ARM_USE_OIDC=true
ENABLE_DYNAMIC_CREDENTIALS_AZURE=true
WORKLOAD_IDENTITY_AUDIENCE_AZURE=api://AzureADTokenExchange
When running a job Terrakube will correctly authenticate to Azure without any credentials inside the workspace
Terraform example using the CLI driven workflow:
Running example:
Last updated