This error occurs when Terraform's Azure provider fails to authenticate with the Resource Manager API. It typically happens due to missing Azure CLI, authentication issues, or configuration problems with OIDC or service principal credentials.
The "unable to build authorizer for Resource Manager API" error occurs when the Terraform Azure provider (azurerm) cannot establish proper authentication credentials to communicate with Microsoft's Azure Resource Manager API. This happens because the provider attempts to build an authorizer object to sign API requests, but fails at this stage due to misconfigured, missing, or invalid credentials. Starting with azurerm provider version 3.44, the provider tries to use Azure CLI for authentication by default, even when not explicitly required. If Azure CLI is not installed, not in the system PATH, or the user is not authenticated with it, the provider fails before it can attempt other authentication methods.
First, check if Azure CLI is installed and accessible from your terminal:
az versionIf this command returns version information, Azure CLI is installed. If you get "command not found", install Azure CLI following the official guide at https://learn.microsoft.com/en-us/cli/azure/install-azure-cli.
After installation, verify it's in your system PATH by running the command again.
Run az login to authenticate your Azure session:
az loginThis opens a browser window to sign in to your Azure account. After successful login, set your default subscription:
az account set --subscription "Your-Subscription-ID"Verify you're logged in and the subscription is set:
az account showThis should display your account information and current subscription ID.
If you're using service principal credentials (client ID, client secret, tenant ID) instead of interactive login, explicitly disable CLI authentication in your Terraform provider block:
provider "azurerm" {
features {}
subscription_id = var.subscription_id
tenant_id = var.tenant_id
client_id = var.client_id
client_secret = var.client_secret
use_cli = false # Explicitly disable CLI authentication
}The use_cli = false flag tells Terraform to use the provided credentials instead of trying to use Azure CLI.
For GitHub Actions, GitLab CI, or other CI/CD systems, use OIDC (OpenID Connect) authentication instead of storing secrets. Configure your provider without credentials:
provider "azurerm" {
features {}
subscription_id = var.subscription_id
tenant_id = var.tenant_id
client_id = var.client_id
use_oidc = true # Enable OIDC
}Then set these environment variables in your CI/CD system:
export ARM_USE_OIDC=true
export ARM_OIDC_TOKEN_FILE_PATH=/tmp/oidc.token # Token path varies by CI system
export ARM_CLIENT_ID=your-client-id
export ARM_TENANT_ID=your-tenant-id
export ARM_SUBSCRIPTION_ID=your-subscription-idThis approach avoids storing secrets and doesn't require Azure CLI in your CI environment.
If using service principal credentials with environment variables instead of provider configuration:
export ARM_CLIENT_ID=your-client-id
export ARM_CLIENT_SECRET=your-client-secret
export ARM_SUBSCRIPTION_ID=your-subscription-id
export ARM_TENANT_ID=your-tenant-id
export ARM_USE_CLI=false # Disable CLI authenticationThen configure your provider minimally:
provider "azurerm" {
features {}
}Terraform will automatically use the environment variables, and the ARM_USE_CLI=false setting prevents it from attempting Azure CLI authentication.
If you need an immediate workaround and cannot modify authentication configuration, you can temporarily downgrade to azurerm provider version 3.43 or earlier:
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.43"
}
}
}However, this is only a temporary solution. Upgrade to the latest provider version and follow steps 3-5 to properly configure authentication.
Provider Version History: This error became prominent with azurerm provider v3.44, which introduced mandatory Azure CLI authentication attempts. Earlier versions allowed fallback to other authentication methods.
Authentication Priority: The azurerm provider attempts authentication in this order:
1. Azure CLI (if available and not disabled)
2. Environment variables (ARM_CLIENT_ID, ARM_CLIENT_SECRET, etc.)
3. Managed identity (for Azure resources)
4. Interactive browser login
OIDC Best Practice: For modern CI/CD, OIDC is preferred over static credentials. It provides better security without storing long-lived secrets and works natively in GitHub Actions, GitLab CI, and other platforms.
Rootless Docker: If running Terraform in a rootless Docker container, ensure Azure CLI is installed in the container image and consider using OIDC authentication since Azure CLI may have permission limitations in rootless environments.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform