Terraform: Get User Principal Name (UPN) Of User Running Deployment Without Entra ID Read Permissions

I has a scenario where I needed to configure an Azure PostgreSQL Flexible Server to use Entra ID (Azure AD) authentication and add the Entra user running the HashiCorp Terraform deployment as the Azure PostgreSQL Administrator using the azurerm_postgresql_flexible_server_active_directory_administrator Terraform resource. Generally, you would use the azuread_user data resource in Terraform to get the Entra users information. However, if the Entra user doesn’t have the appropriate read permissions to the Entra directory, then you can do this. In my specific scenario, I needed to use an Azure CLI command to get the UPN for the currently logged in user, then pass it to Terraform as a parameter.

Let’s take a look at the problem and the solution that I needed to work out to make my Terraform deployment work.

The Challenge

Generally, you would use the azuread_user data resource in Terraform to fetch user details, such as their User Principal Name (UPN) or Object ID. However, this approach requires read permissions to the Entra directory (i.e., Directory.Read.All permissions in Entra ID).

In my specific case, the Entra user running Terraform did not have these permissions, meaning:

The azuread_user data source could not be used.
Terraform could not retrieve the user’s UPN automatically.
The PostgreSQL Active Directory Administrator requires the UPN as input.

The Solution

To work around the Entra permissions limitations, I used an Azure CLI command to retrieve the UPN of the currently logged-in user before running Terraform. This bypasses the need for Entra ID read permissions while still allowing Terraform to configure the PostgreSQL administrator properly.

Step 1: Retrieve User Principal Name (UPN) using Azure CLI

Since Terraform cannot query Entra ID due to permission restrictions, we use the Azure CLI to get the currently authenticated user’s UPN.

Run the following command before running Terraform:

export TF_VAR_postgres_admin_upn=$(az ad signed-in-user show --query "userPrincipalName" -o tsv)

The Azure CLI az ad signed-in-user show command is needed to query the UPN. The az account show command may appear to work, but this wont give you the full details and UPN for the currently logged in user to the Azure CLI.

What This Does

Uses az account show to fetch the current authenticated user’s User Principal Name (UPN).
Sets this value as an environment variable (TF_VAR_postgres_admin_upn).
Terraform will automatically use this value when referencing var.postgres_admin_upn.

💡 If running Terraform in a CI/CD pipeline, this command should be executed as part of the pipeline’s initialization script.

Step 2: Define Terraform Variables

In Terraform, create a variable to hold the UPN of the administrator:

variable "postgres_admin_upn" {
  description = "User Principal Name for PostgreSQL administrator"
  type        = string
}

This variable will now be populated dynamically via the Azure CLI command from Step 1.

Step 3: Configure Terraform to set up Azure PostgreSQL Flexible Server

Now, define the Terraform configuration to:

Create an Azure PostgreSQL Flexible Server with Entra ID authentication enabled.
Assign the current user as the Active Directory Administrator.

Terraform Configuration (`main.tf`)

provider "azurerm" {
  features {}
}

# Get the current Azure authentication details
data "azurerm_client_config" "current" {}

# Create a Resource Group
resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "East US"
}

# Create an Azure PostgreSQL Flexible Server with Entra ID Authentication
resource "azurerm_postgresql_flexible_server" "example" {
  name                   = "example-postgresql"
  resource_group_name    = azurerm_resource_group.example.name
  location               = azurerm_resource_group.example.location
  administrator_login    = "pgadmin"
  administrator_password = "ComplexPassword123!"
  sku_name               = "B_Standard_B1ms"
  storage_mb             = 32768
  version                = "14"
  
  authentication {
    active_directory_auth_enabled = true
  }
}

# Assign the User as the Active Directory Administrator
resource "azurerm_postgresql_flexible_server_active_directory_administrator" "example" {
  server_id   = azurerm_postgresql_flexible_server.example.id
  tenant_id   = data.azurerm_client_config.current.tenant_id
  object_id   = data.azurerm_client_config.current.object_id
  login       = var.postgres_admin_upn  # Using the value passed via Azure CLI
}

Step 4: Deploy the Terraform Template

Now that everything is set up, run the following Terraform commands:

terraform init
terraform apply -auto-approve

Since we set the TF_VAR_postgres_admin_upn environment variable, Terraform will automatically pass the retrieved UPN into the deployment.

Alternative: Store UPN in Azure Key Vault

If the Terraform deployment is part of a CI/CD pipeline, where running Azure CLI before Terraform is not an option, an alternative approach is to store the UPN in Azure Key Vault and retrieve it in Terraform. Also, if the CI/CD pipeline running the Terraform deployment using a Service Principal identity, then the Object ID and User Principal Name (UPN) for an Entra User may not be accessible form the pipeline, so setting these in Azure Key Vault for later use by Terraform may be required.

Step 1: Store the UPN in Azure Key Vault

Manually set the UPN as a secret in Azure Key Vault:

az keyvault secret set --vault-name MyKeyVault --name postgres-admin-upn --value "user@example.com"

When using this method, it may be useful to store the Object ID for the Entra user in Azure Key Vault too. This way, the full info for the Entra identity will be available for future runs of the Terraform deployment so set permissions correctly.

Step 2: Retrieve the Secret in Terraform

Modify Terraform to fetch the UPN from Key Vault:

data "azurerm_key_vault_secret" "postgres_admin_upn" {
  name         = "postgres-admin-upn"
  key_vault_id = azurerm_key_vault.example.id
}

resource "azurerm_postgresql_flexible_server_active_directory_administrator" "example" {
  server_id   = azurerm_postgresql_flexible_server.example.id
  tenant_id   = data.azurerm_client_config.current.tenant_id
  object_id   = data.azurerm_client_config.current.object_id
  login       = data.azurerm_key_vault_secret.postgres_admin_upn.value
}

This approach allows Terraform to fetch the UPN from Key Vault instead of requiring the Azure CLI command.

Conclusion

In this article, we looked at a solution for the challenge of configuring an Azure PostgreSQL Flexible Server with Entra ID authentication while ensuring that the user running the Terraform deployment could be assigned as an Active Directory Administrator—despite not having the required Entra read permissions.

For scenarios where running Azure CLI isn’t feasible—such as in CI/CD pipelines—we introduced an alternative approach that involves storing the UPN in Azure Key Vault and retrieving it within Terraform.

By following these steps, you can successfully integrate Entra ID authentication into your PostgreSQL Flexible Server configuration using Terraform—without requiring additional Entra ID permissions. This approach is both flexible and secure, making it ideal for organizations with strict permission controls.