terraform: building account: could not acquire access token to parse claims

Question

In portal.azure.com, i set up a new app registration for terraform and creates a certificate & secret. the app has the 'Cloud Application Administrator' role. I am attempting to use this to run my terraform script.

I have the following terraform code:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">=3.53.0"
    }
    azapi = {
      source = "azure/azapi"
    }
  }
}

provider "azurerm" {
  features {}
  subscription_id = "<subscription_id>"
  client_id = "<client_id>"
  client_secret = "<client_secret>"
  tenant_id = "<tenant_id>"
}
provider "azapi" {
  subscription_id = "<subscription_id>"
  client_id = "<client_id>"
  client_secret = "<client_secret>"
  tenant_id = "<tenant_id>"
  use_cli = true
}

then i do a terraform plan, i am getting

│ Error: building account: could not acquire access token to parse claims: clientCredentialsToken: cannot request token: Post "https://login.microsoftonline.com/8e7e5486-6e11-48bf-9cca-ef5fd4205af3/oauth2/v2.0/token": POST https://login.microsoftonline.com/8e7e5486-6e11-48bf-9cca-ef5fd4205af3/oauth2/v2.0/token giving up after 5 attempt(s): Post "https://login.microsoftonline.com/8e7e5486-6e11-48bf-9cca-ef5fd4205af3/oauth2/v2.0/token": dial tcp: lookup login.microsoftonline.com on 127.0.0.11:53: server misbehaving
│ 
│   with provider["registry.terraform.io/hashicorp/azurerm"],
│   on providers.tf line 13, in provider "azurerm":
│   13: provider "azurerm" {

I am not sure what the issue is here. I am running this is VSCode in a devcontainer (my dev environment is dockerized).

Answer 1

terraform: building account: could not acquire access token to parse claims is caused due to temporary network issue.

As you mentioned it seems you surpassed the error this might be because of temporary network issue which can also identifies by changing your container's networking mode.

Docker defaults to a bridged network but switching to host networking (by adding --network="host" to your docker run command) may resolve DNS resolution problems, though it may also affect the container's isolation.

This issue often stems from DNS configuration problems within the Docker container where your development environment and Terraform are running, and it's temporary.

Additionally, the error suggests that your retry logic is giving up after 5 attempts. You may need to verify that your Docker container has a stable internet connection before executing Terraform commands.

Sometimes Docker container may not have proper DNS settings. By default, Docker attempts to use the DNS settings of the host machine, but network issues or DNS blocking can interfere with this process. You can explicitly set DNS servers for Docker containers by modifying the Docker daemon configuration or using the --dns flag with docker run.

And the issue mentioned in the comment was required reader access to your container registry. Cloud Application Administrator alone won't workout in your case.

Reference:

Docker-networking

Assign Azure roles using the Azure portal - Azure RBAC | Microsoft Learn