Terraform - Use certificate to authenticate azurerm in Remote execution mode

Question

I am trying to authenticate azurerm provider in Terraform IaC using a certificate. I was following below documentation. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret

I am using the agents provided by terraform cloud to run the deployments by setting the execution mode in the workspace as “Remote”. Hence I do not have any access to the machine where the agents are running. Neither I can set the environment variables nor install the certificates on the agents.

I tried using the below code to use certificate.

provider “azurerm” {
features {
}
client_id = “xxxx-xxxx-xxxx-xxxx-123456789”
tenant_id = “xxxx-xxx-xxx-xxx-xxxxx”
subscription_id = “xxxxxx-xxxxx-xxxx-xxxxx-xxxxx”
client_certificate_path = “C:\MyPath\MyFolder\TF\mypfx.pfx”
client_certificate_password = “87654”
}

But the terraform plan failed with below error. Can someone please help me in fixing this error? The same code works perfectly fine if I update the code to use client_secret. But I need to make it work with the certificate.

I made sure that the ceritificate is available in the app registraion. And the thumbprint of the certificate in the Azure app registration matches with the one located in “C:\MyPath\MyFolder\TF\mypfx.pfx”.

Error: building account: could not acquire access token to parse claims: clientCredentialsToken: received HTTP status 401 with response: {“error”:“invalid_client”,“error_description”:"AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘xxxx-xxxx-xxxx-xxxx-123456789’.

Answer 1

The certificate with identifier used to sign the client assertion is not registered on application.

The above error you are encountered is likely due to the certificate not being uploaded in the specified application that you are attempting to access using Terraform code.

If you have already uploaded the certificate to the application, ensure that you verify the application ID being used in the Terraform code.

When attempting to authenticate with a Service Principal using a certificate, without uploading the certificate to the application, I encountered the same error.

provider "azurerm" {
  features {}

  client_id                    = "ac14238dd337d177d8"
  tenant_id                    = "72f988bf-8xxx-2d7cd011db47"
  subscription_id              = "b83c1ed3-xxx-2b83a074c23f"
  client_certificate_path      = "C:\\Venkat\\Azure_AD\\venkatcer.pfx"
  client_certificate_password  = "password"
}
resource "azurerm_resource_group" "example" {
  name     = "sampledemorg"
  location = "eastus"
}

The issue was resolved after the certificate was uploaded to the correct Azure AD application.

Reference: The certificate with identifier used to sign the client assertion is not registered on application