Skip to main content
Version: 0.18.0


To use driftctl, we need credentials to make authenticated requests to your Azure account. We retrieve configuration from environment variables.

You can check the Terraform documentation for a guide to configure Azure authentication.

# Here we use a service principal account with a client secret
$ AZURE_SUBSCRIPTION_ID=00000000-0000-0000-0000-000000000000\
driftctl scan --to azure+tf

You can also authenticate using az CLI. In that case you will only have AZURE_SUBSCRIPTION_ID to specify:

$ AZURE_SUBSCRIPTION_ID=00000000-0000-0000-0000-000000000000\
driftctl scan --to azure+tf

Least privileged policy

driftctl needs to have read only access to your account, if you want to scan your whole Azure account you can set up the Reader role on your subscription.


You may want to scan only a resource group, you can assign Reader role only on some restricted resources groups too.