This error occurs when Terraform cannot authenticate to Azure because the AzureRM provider cannot determine which subscription to use. It typically happens when running Terraform in CI/CD pipelines or when the Azure CLI authentication is not properly configured.
The AzureRM provider requires a valid Azure subscription ID to initialize. When Terraform runs, it attempts to obtain subscription information from the Azure CLI, but the CLI either isn't authenticated, doesn't have an active subscription set, or the environment variables aren't being passed correctly to the Terraform runtime. This is especially common in GitHub Actions, Azure DevOps, or Terraform Cloud where the execution environment is isolated.
First, ensure the Azure CLI is installed and you're authenticated:
az version
az account showIf you're not logged in, run:
az loginThis will open a browser to authenticate. After successful login, verify the correct subscription is set:
az account list
az account set --subscription="<subscription-id>"Update your Terraform configuration to explicitly include the subscription_id. This is the most reliable fix:
provider "azurerm" {
features {}
subscription_id = "<your-subscription-id>"
}You can find your subscription ID by running:
az account show --query id -o tsvInstead of hardcoding, use environment variables which is more secure for CI/CD:
provider "azurerm" {
features {}
}Then set in your shell or CI/CD pipeline:
export ARM_SUBSCRIPTION_ID="<your-subscription-id>"Or in GitHub Actions:
env:
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}Modern best practice is to use OpenID Connect (OIDC) instead of storing credentials:
- name: Azure Login
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
auth-type: SERVICE_PRINCIPALThen in your Terraform provider block:
provider "azurerm" {
features {}
use_oidc = true
}If using Terraform Cloud with remote execution, environment variables won't pass through. Either:
Option A: Change to local execution in your workspace settings.
Option B: Configure the AzureRM backend with explicit credentials:
terraform {
backend "azurerm" {
resource_group_name = "my-rg"
storage_account_name = "mystorageacct"
container_name = "tfstate"
key = "prod.terraform.tfstate"
}
}Then set Azure credentials as Terraform variables in the workspace.
Why explicit subscription_id matters: Recent versions of the AzureRM provider (v3.41.0+) made subscription_id mandatory for security and clarity. Previously, the provider would implicitly use the currently selected Azure CLI subscription, but this was ambiguous in CI/CD environments.
For Service Principals in CI/CD: Service Principal authentication via Azure CLI is not supported directly. Instead, use environment variables (ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_TENANT_ID, ARM_SUBSCRIPTION_ID) or OIDC authentication. OIDC is preferred because it doesn't require storing long-lived credentials.
Rootless/Multi-tenant scenarios: If working with multiple Azure tenants, ensure you're authenticating to the correct tenant before setting the subscription. Use az login --tenant <tenant-id> if needed.
Error: Error rendering template: template not found
How to fix "template not found" error in Terraform
Error: Error generating private key
How to fix 'Error generating private key' in Terraform
Error creating Kubernetes Service: field is immutable
How to fix "field is immutable" errors in Terraform
Error: Error creating local file: open: permission denied
How to fix "Error creating local file: permission denied" in Terraform
Error: line endings have changed from CRLF to LF
Line endings have changed from CRLF to LF in Terraform