TFE/TFC Auth with Azure and Error: "az": executable file not found in $PATH

Avatar
Julie | Terraform Support
  • Updated

Background

There are several ways for Terraform to Authenticate to Azure [a]. When executing Terraform locally, many leverage the Azure CLI and execute az login. This is not an option when executing runs with Terraform Enterprise (TFE) or Terraform Cloud (TFC). Instead you will need to use a different authentication method (e.g., Service Principal). 

The goal is to populate your TFE/TFC Workspace variables page with the proper environment variables necessary for Terraform to successfully communicate with Azure. If these variables are not passed to your workspace, you may see an error complaining about the Azure CLI (see below). 

 

Error

Error parsing json result from the Azure CLI: launching Azure CLI: 
exec: "az": executable file not found in $PATH.

 

Cause

The Terraform AzureRM and AzureAD providers look for credentials programmatically. Azure CLI authentication is the last method the provider checks. Since TFE/TFC has no concept of this tool, the run fails and this error surfaces.

This error can be confusing. You do not need to install Azure CLI. You need to correctly configure one of these other methods of authentication[a].

 

Solution

One of the most straight forward methods to connect TFE/TFC to Azure is creating a Service Principal with a Client Secret [b]. If you would like to use Managed Identity, please see How to Use Managed Identity with the Azure or AzureAD Provider in Terraform Cloud [c].

This can be completed on your local machine or using the Azure Portal. To create the Service Principal (SP) locally, use the Azure CLI. 

 

First, locate the subscription ID. 

To create the SP, execute az ad sp create-for-rbac --name test --role Contributor --scopes /subscriptions/<subscription-id>.

Terminal output:

{
  "appId": "xxxxxxxxxxca8d",
  "displayName": "test",
  "password": "xxxxxxxxxxtaJh",
  "tenant": "xxxxxxxxxx52ec"
}

Convert these to Environment Variables in your TFE/TFC Workspace:

ARM_CLIENT_ID=xxxxxxxxxxca8d
ARM_CLIENT_SECRET=xxxxxxxxxxtaJh
ARM_SUBSCRIPTION_ID=xxxxxxxxxx7c26
ARM_TENANT_ID=xxxxxxxxxx52ec

For more details, see Managing Variables [d].

 

Links

[a]https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure

[b]https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret#creating-a-service-principal 

[c]https://support.hashicorp.com/hc/en-us/articles/17419108895123-How-to-Use-Managed-Identity-with-the-Azure-or-AzureAD-Provider-in-Terraform-Cloud- 

[d]https://developer.hashicorp.com/terraform/cloud-docs/workspaces/variables/managing-variables#workspace-specific-variables 

 

 

 

 

 

 

Articles in this section

See more

Related articles