TFE/TFC Auth with Azure and Error: "az": executable file not found in $PATH

Avatar
Julie Erlemeier
  • Updated

Problem

When running Terraform in Terraform Enterprise (TFE) or HCP Terraform, a plan fails with an error indicating the Azure CLI executable is not found.

Error parsing json result from the Azure CLI: launching Azure CLI: exec: "az": executable file not found in $PATH.

Cause

The Terraform AzureRM and AzureAD providers programmatically check for credentials in a specific order. Authentication using the Azure CLI (az login) is the last method the provider attempts. Because TFE and HCP Terraform execution environments do not have the Azure CLI installed, the run fails when no other authentication method is configured.

To resolve this, you must configure an alternative authentication method, such as a Service Principal or a Managed Identity, by setting the appropriate environment variables in your workspace.

Solutions

There are several ways for Terraform to authenticate to Azure. The following are two common methods for TFE and HCP Terraform.

Solution 1: Use a Service Principal with a Client Secret

One of the most direct methods is to create a Service Principal with a Client Secret. You can create the Service Principal (SP) from your local machine using the Azure CLI.

  1. First, locate your Azure subscription ID.

  2. Create the Service Principal. Replace <subscription-id> with your actual ID.

    $ az ad sp create-for-rbac --name test --role Contributor --scopes /subscriptions/<subscription-id>

    The command returns a JSON object with the credentials.

    {
  "appId": "xxxxxxxxxxca8d",
  "displayName": "test",
  "password": "xxxxxxxxxxtaJh",
  "tenant": "xxxxxxxxxx52ec"
}

  3. In your TFE or HCP Terraform workspace, create the following environment variables using the values from the output.

    ARM_CLIENT_ID=xxxxxxxxxxca8d
ARM_CLIENT_SECRET=xxxxxxxxxxtaJh
ARM_SUBSCRIPTION_ID=<your-subscription-id>
ARM_TENANT_ID=xxxxxxxxxx52ec

Solution 2: Use a Managed Identity

If your TFE installation or HCP Terraform agents are running on an Azure VM, you can use a Managed Identity for authentication. This method avoids storing secrets as environment variables.

For detailed instructions, refer to the guide on How to Use Managed Identity with the Azure or AzureAD Provider in Terraform Cloud.

Additional Information

  • For more details on configuring variables in your workspace, see the Managing Variables documentation.

Articles in this section

See more

Related articles