Skip to content
Latchkey

Terraform Azure "building AzureRM Client" Auth Errors in CI

The azurerm provider could not authenticate to Azure. The service principal credentials are missing or wrong, or OIDC federation was never configured for the runner.

What this error means

plan/apply fails with "Error building AzureRM Client" or an authentication error naming a missing tenant/subscription/client value. It surfaces on a fresh pipeline or after credentials rotate.

terraform output
Error: building AzureRM Client: please ensure you have installed Azure CLI...
or that you have configured a Service Principal:
  ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_TENANT_ID, ARM_SUBSCRIPTION_ID

Common causes

Service principal env vars missing

azurerm reads ARM_CLIENT_ID, ARM_TENANT_ID, ARM_SUBSCRIPTION_ID, and either a secret or OIDC token. If any are unset in the job, authentication fails.

OIDC federation not configured

When using workload-identity federation, a missing federated credential on the app registration, or a missing id-token: write permission, means no token is issued.

How to fix it

Provide the service principal credentials

Set the ARM_* values from secrets so azurerm can authenticate.

.github/workflows/ci.yml
env:
  ARM_CLIENT_ID:       ${{ secrets.ARM_CLIENT_ID }}
  ARM_CLIENT_SECRET:   ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_TENANT_ID:       ${{ secrets.ARM_TENANT_ID }}
  ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}

Use OIDC instead of a client secret

Federated credentials avoid a long-lived secret. Set use_oidc and grant id-token: write.

provider.tf
provider "azurerm" {
  features {}
  use_oidc = true
}

How to prevent it

  • Store ARM_* values as secrets, never in the repo.
  • Prefer OIDC federation over client secrets in CI.
  • Verify auth early with az account show or a small data source.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →