terraform icon indicating copy to clipboard operation
terraform copied to clipboard
verified publisher icon hashicorp

Enhancement Request: `azurerm` backend OIDC (Workload Identity federation) authentication support for token refresh

Open jaredfholgate opened this issue 1 year ago • 1 comments

Terraform Version

latest

Use Cases

As a Terraform user with remote state in Azure Blob Storage, I want to use OIDC (Workload identity federation) authentication with Azure DevOps and not have to worry about id token expiration.

Attempted Solutions

There are no good work arounds for this.

Proposal

Use the new azurepiplinescredential classes to automatically refresh the id token: https://devblogs.microsoft.com/azure-sdk/improve-security-posture-in-azure-service-connections-with-azurepipelinescredential/

References

  • #34322 (related)

jaredfholgate avatar Sep 02 '24 13:09 jaredfholgate

Thanks for this feature request! If you are viewing this issue and would like to indicate your interest, please use the 👍 reaction on the issue description to upvote this issue. We also welcome additional use case descriptions. Thanks again!

crw avatar Sep 03 '24 16:09 crw

Hi @crw is there a timeline on this? MS is pushing towards workload identities, would be great if this is supported.

Nilsas avatar Jan 29 '25 07:01 Nilsas

This PR will help to get there: https://github.com/hashicorp/terraform/pull/36258

Also see the comment on this Issue. We have been discussing this internally. The plan is to support all Microsoft Azure providers and the azurerm backend: https://github.com/hashicorp/terraform/issues/34322#issuecomment-2564937829

Timescale is still unknown, but progress is being made.

CC: @magodo

jaredfholgate avatar Jan 29 '25 09:01 jaredfholgate

@jaredfholgate Update

  • AzureRM PR: https://github.com/hashicorp/terraform-provider-azurerm/pull/28674#event-16205709334
  • AzureAD PR: https://github.com/hashicorp/terraform-provider-azuread/pull/1635
  • Azure Backend RP: https://github.com/hashicorp/terraform/pull/36458

magodo avatar Feb 06 '25 08:02 magodo

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Mar 16 '25 02:03 github-actions[bot]