Failed to authenticate using Azure CLI for Service Principal in Terraform backend with GitHub Actions OIDC

Liam23 · August 29, 2025, 8:30pm

I’m facing difficulties while setting up Terraform with an Azure Storage backend through GitHub Actions. During the initialization step (terraform init), I encounter an authentication error indicating that Azure CLI authentication is only permitted for user accounts, not service principals. I’ve ensured that OIDC authentication is correctly configured in both Azure and GitHub.

Error encountered while initializing:

Initializing the backend...
╷
│ Error: Error building ARM Config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
│ 
│ To authenticate to Azure using a Service Principal, you can utilize the distinct 'Authenticate using a Service Principal' method
│ 
│ Alternatively, using a User Account for Azure CLI authentication is also possible.

Workflow YAML configuration:

name: 'Infrastructure Deployment'

on:
  push:
    branches: [ master ]
  workflow_dispatch:

permissions:
 id-token: write
 contents: read

env:
  STORAGE_ACCOUNT: infraStorage09876
  RESOURCE_GROUP: terraform-resource-group
  CONTAINER: state-files
  STATE_KEY: infrastructure.tfstate
  
jobs:
  infrastructure:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4
                
    - name: Login to Azure with OIDC
      uses: Azure/[email protected]
      with:
        client-id: ${{ secrets.CLIENT_ID }}
        tenant-id: ${{ secrets.TENANT_ID }}  
        subscription-id: ${{ secrets.SUBSCRIPTION_ID }}

    - name: Configure backend storage
      uses: Azure/[email protected]     
      with:
        inlineScript: |
          # Creating resource group
          az group create --name $RESOURCE_GROUP --location eastus
          
          # Creating storage account
          az storage account create --name $STORAGE_ACCOUNT \
             --resource-group $RESOURCE_GROUP \
             --sku Standard_LRS
          
          # Setting up container
          az storage container create --name $CONTAINER \
             --account-name $STORAGE_ACCOUNT \
             --auth-mode login

    - name: Install Terraform
      uses: hashicorp/setup-terraform@v1
      with:
        terraform_version: 1.1.7
    
    - name: Initialize Terraform
      env:
        ARM_CLIENT_ID: ${{ secrets.CLIENT_ID }}
        ARM_TENANT_ID: ${{ secrets.TENANT_ID }}
        ARM_SUBSCRIPTION_ID: ${{ secrets.SUBSCRIPTION_ID }}
        ARM_USE_OIDC: true
        ARM_USE_CLI: false
      run: |
        terraform init \
          -backend-config="resource_group_name=$RESOURCE_GROUP" \
          -backend-config="storage_account_name=$STORAGE_ACCOUNT" \
          -backend-config="container_name=$CONTAINER" \
          -backend-config="key=$STATE_KEY" \
          -backend-config="use_azuread_auth=true"

Terraform configuration example:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "~> 3.0"
    }
  }
  
  required_version = ">= 1.0.0"
  
  backend "azurerm" {}
}

provider "azurerm" {
  features {}
  use_cli = false
  use_oidc = true
}

resource "azurerm_resource_group" "main" {
  name     = "demo-resources"
  location = "East US"
}

Despite having ARM_USE_CLI set to false and ARM_USE_OIDC set to true, the error persists. How can I resolve this authentication problem?

elizabeths · September 6, 2025, 6:03am

Had this same issue a few months back - it’s a backend config problem. You’ve got to set use_oidc = true and use_cli = false directly in your terraform backend block, not just the provider. hcl terraform { backend "azurerm" { use_oidc = true use_cli = false } } Double-check your federated identity credential in Azure too. The subject identifier needs to match repo:your-org/your-repo:ref:refs/heads/master for master branch pushes. If the OIDC token validation screws up, it’ll fall back to CLI even when you’ve got the environment variables set.

emcarter · September 5, 2025, 8:22am

try adding ARM_USE_AZUREAD_AUTH=true in your env vars for terraform init. i had the same issue and that did the trick for me. and make sure your service principal has the Storage Blob Data Contributor role on the storage account - a regular Contributor won’t cut it.

OwenNebula55 · September 4, 2025, 4:00am

Check your Azure CLI and Terraform versions are compatible first. I hit this same error and found it was an auth timing issue. The OIDC token expires between Azure login and terraform init. Move terraform init right after Azure login, before setting up storage. Also make sure your federated credential is set to ‘Branch’ not ‘Environment’ if you’re running on branch pushes. Setting ARM_USE_MSI=false with your other environment variables helped me too - Terraform sometimes tries multiple auth methods and gets confused about which to use.