<!-- Hi there, Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html. If your issue relates to a specific Terraform provider, please open it in the provider's own repository. The index of providers is at https://github.com/terraform-providers . --> ### Terraform Version <!--- Run `terraform version` to show the version, and paste the result between the ``` marks below. If you are not running the latest version of Terraform, please try upgrading because your issue may have already been fixed. --> ``` Terraform v0.13.3 ``` ### Terraform Configuration Files <!-- Paste the relevant parts of your Terraform configuration between the ``` marks below. For large Terraform configs, please use a service like Dropbox and share a link to the ZIP file. For security, you can also encrypt the files using our GPG public key. --> ```terraform terraform { backend "azurerm" { tenant_id = "5e600a2c-..." subscription_id = "33d31cd9-..." resource_group_name = "..." storage_account_name = "..." container_name = "..." key = "..." } } ``` ### Debug Output <!-- Full debug output can be obtained by running Terraform with the environment variable `TF_LOG=trace`. Please create a GitHub Gist containing the debug output. Please do _not_ paste the debug output in the issue, since debug output is long. Debug output may contain sensitive information. Please review it before posting publicly, and if you are concerned feel free to encrypt the files using the HashiCorp security public key. --> ``` > terraform init 2020/09/23 14:26:10 [INFO] Terraform version: 0.13.3 2020/09/23 14:26:10 [INFO] Go runtime version: go1.14.7 2020/09/23 14:26:10 [INFO] CLI args: []string{"/usr/bin/terraform", "init"} 2020/09/23 14:26:10 [DEBUG] Attempting to open CLI config file: /home/t-l-k/.terraformrc 2020/09/23 14:26:10 [DEBUG] File doesn't exist, but doesn't need to. Ignoring. 2020/09/23 14:26:10 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins 2020/09/23 14:26:10 [DEBUG] ignoring non-existing provider search directory /home/t-l-k/.terraform.d/plugins 2020/09/23 14:26:10 [DEBUG] ignoring non-existing provider search directory /home/t-l-k/.local/share/terraform/plugins 2020/09/23 14:26:10 [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins 2020/09/23 14:26:10 [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins 2020/09/23 14:26:10 [DEBUG] ignoring non-existing provider search directory /var/lib/snapd/desktop/terraform/plugins 2020/09/23 14:26:10 [INFO] CLI command args: []string{"init"} Initializing the backend... 2020/09/23 14:26:10 [TRACE] Meta.Backend: built configuration for "azurerm" backend with hash value 2366391659 2020/09/23 14:26:10 [TRACE] Preserving existing state lineage "d9913749-be50-6220-8033-442f4762468f" 2020/09/23 14:26:10 [TRACE] Preserving existing state lineage "d9913749-be50-6220-8033-442f4762468f" 2020/09/23 14:26:10 [TRACE] Meta.Backend: working directory was previously initialized for "azurerm" backend 2020/09/23 14:26:10 [TRACE] Meta.Backend: using already-initialized, unchanged "azurerm" backend configuration 2020/09/23 14:26:10 [DEBUG] Loading Environment "public" 2020/09/23 14:26:10 Testing if Service Principal / Client Certificate is applicable for Authentication.. 2020/09/23 14:26:10 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication.. 2020/09/23 14:26:10 Testing if Service Principal / Client Secret is applicable for Authentication.. 2020/09/23 14:26:10 Testing if Managed Service Identity is applicable for Authentication.. 2020/09/23 14:26:10 Testing if Obtaining a token from the Azure CLI is applicable for Authentication.. 2020/09/23 14:26:10 Using Obtaining a token from the Azure CLI for Authentication 2020/09/23 14:26:11 Getting OAuth config for endpoint https://login.microsoftonline.com/ with tenant 8304fb80-... Error: Error obtaining Authorization Token from the Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1 ``` ### Expected Behavior <!-- What should have happened? --> It should use the `tenant_id` and `subscription_id` as configured in the backend. [The documentation](https://www.terraform.io/docs/backends/types/azurerm.html) appears to indicate that `tenant_id` and `subscription_id` are exclusively use for the following scenarios: - When authenticating using Managed Service Identity (MSI) - When authenticating using a Service Principal with a Client Certificate - When authenticating using a Service Principal with a Client Secret But honestly, I expect it also to work when using Azure CLI, to authenticate against the tenant and subscription I have explicitly stated. I don't want to authenticate using a SPN, or certificate or etc, I just want to use Azure CLI for authentication, to authenticate as **me**. ### Actual Behavior <!-- What actually happened? --> It appears to just use what ever ambient Azure CLI account I have logged in. I have _multiple_ `az account` contexts, across multiple tenants and subscriptions. It is not always convenient to continuously switch my active one, when the correct account authentication context should be resolved via the explicitly set (and unchanging) `tenant_id` and `subscription_id` in the backend configuration. **HOWEVER**, I tried also setting `ARM_SUBSCRIPTION_ID` and `ARM_TENANT_ID` environment variables. To my surprise, this works! It does use the values from those environment variables when performing Azure CLI authentication! So the documentation is also a bit inconsistent, because it also implies those variables are also exclusively for use by the 3 scenarios under Expected Behaviour. I'd rather it just used the settings from the backend configuration. ### Steps to Reproduce <!-- Please list the full steps required to reproduce the issue, for example: 1. `terraform init` 2. `terraform apply` --> 1) Have multiple tenants & subscriptions authenticated with `az` the Azure CLI, plus also a storage account for some remote state etc. 2) `az account set` with the terraform subscription you intend to use. 3) Set `tenant_id` and `subscription_id` in the backend configuration to match the storage account from (1) and the account selected in (2). 4) Write some state into the backend, e.g. `terraform apply`! 5) `az account set` to a tenant & subscription which is not the same as configured for the backend. 6) `terraform init` 7) Kabooom!