hashicorp
Azurerm Backend Configuration Behaviour Change
Terraform Version
1.13.0
Terraform Configuration Files
/project/terraform/main.tf
terraform {
backend "azurerm" {
# Configured via -backend-config=backend-config.tf
}
required_providers {
azurerm = { source = "hashicorp/azurerm", version = "~> 4" }
}
}
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
/project/backend-config.hcl
resource_group_name = "rg-test"
storage_account_name = "sa-test"
container_name = "tf-state"
key = "test"
subscription_id = "00000000-0000-0000-0000-000000000000"
use_azuread_auth = false
use_msi = true
client_id = "00000000-0000-0000-0000-000000000000" # client id of user-assigned identity
client_secret = "" # explicitly set to empty to prevent CLIENT_SECRET environment variable to be set
Debug Output
...debug output, or link to a gist...
Expected Behavior
The terraform azurerm backend must use managed identity authentication (as it did with Terraform 1.12.2).
Actual Behavior
The terraform azurerm backend is using client credential authentication instead of managed identity:
╷
│ Error: retrieving Storage Account (Subscription: "00000000-0000-0000-0000-000000000000"
│ Resource Group Name: "rg-test"
│ Storage Account Name: "sa-test"): authorizing request: clientCredentialsToken: received HTTP status 400 with response: {"error":"invalid_client","error_description":"AADSTS7000232: MSI identity (80240f99-b719-4cab-9d18-19abab3165f4) should not use ClientSecretCredential. Trace ID: 00000000-0000-0000-0000-000000000000 Correlation ID: 00000000-0000-0000-0000-000000000000 Timestamp: 2025-10-29 20:18:22Z","error_codes":[7000232],"timestamp":"2025-10-29 20:18:22Z","trace_id":"00000000-0000-0000-0000-000000000000","correlation_id":"00000000-0000-0000-0000-000000000000","error_uri":"https://login.microsoftonline.com/error?code=7000232"}
│
Steps to Reproduce
- Export azurerm provider configuration
export ARM_CLIENT_ID="11111111-1111-1111-1111-111111111111"
export ARM_CLIENT_SECRET="12345678-1111-1111-1111-111111111111"
export ARM_TENANT_ID="11111111-1111-1111-1111-111111111111"
export ARM_SUBSCRIPTION_ID="21111111-1111-1111-1111-111111111111"
terraform init -backend-config=/project/backend-config.hcl
Additional Context
We use Client Secret for Azurerm provider and Managed Identity for Azurerm backend.
References
No response
Generative AI / LLM assisted development?
No response
In 1.12.2, the azurerm backend configuration treated an empty string as set and the default value was not set: https://github.com/hashicorp/terraform/blob/ce0baf874af938310a4cb03ad2d71150d474fa70/internal/legacy/helper/schema/backend.go#L80
Introduced with https://github.com/hashicorp/terraform/commit/481bef375938d8473e235734f904136a0e8a8ccd in 1.13.0, the azurerm backend overwrites empty strings by the default value: https://github.com/hashicorp/terraform/blob/26f289aeb5de07475f380bd20345ac9ec68b4582/internal/backend/backendbase/sdklike.go#L215
Thanks for reporting this bug! This problem isn't actually specific to the Azure backend and is due to shared code that is reused among all the remote-state backends. However this error would only present itself if a remote-state backend doesn't implement all of its own methods and instead falls back to shared logic, and the Azure backend is in that situation.
I've opened a PR with a fix and will update the team responsible for the Azure backend to let them know.
