I'm trying to use terraform's azapi to deploy a quota alarm and I'm running into an error with oath "Identity not found"
I have my provider set up with:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.43.0"
}
azapi = {
source = "azure/azapi"
}
}
}
provider "azurerm" {
tenant_id = "<Tenant ID>"
subscription_id = <Subscription ID 1>
skip_provider_registration = true
use_oidc = true
features {}
}
provider "azapi" {
alias = "alias1"
tenant_id = "<Tenant ID>"
subscription_id = <Subscription ID 2>
use_oidc = true
}
I am using GitHub actions and we login to Azure via OIDC. azurerm is working fine but azapi is failing with:
Error: checking for presence of existing Resource: (ResourceId "/subscriptions/<Subscription ID 2>/resourceGroups/quota-alarms/providers/Microsoft.Insights/scheduledQueryRules/total_regional_vcpu_quota_alarm" / Api Version "2023-03-15-preview"): ChainedTokenCredential authentication failed
GET http://169.254.169.254/metadata/identity/oauth2/token
--------------------------------------------------------------------------------
RESPONSE 400 Bad Request
--------------------------------------------------------------------------------
{
"error": "invalid_request",
"error_description": "Identity not found"
}
--------------------------------------------------------------------------------
Any thoughts on why authentication is working for azurerm but not azapi?
I was able to resolve this myself.
The problem was that I was specifying an alias name in the provider block but not in the azapi_resource block. I think it was trying to fall back to a generic azapi provider which works on my dev machine because I have AZ CLI setup.
I specified a provider alias in the resource block and it worked: