What Azure role does StackQL need?

The role required by your queries, scoped as narrowly as practical. The built-in Reader role at subscription scope is sufficient for inventory and audit queries; mutations require Contributor or a custom role on the target resource types.

Why do Azure queries need a subscriptionId in the WHERE clause?

Azure Resource Manager APIs are scoped by subscription (and often resource group), so these appear as required parameters of the underlying API call, not as authentication settings. SHOW METHODS IN azure.compute.virtual_machines lists the required parameters per method.

Does StackQL work in Azure Cloud Shell?

Yes. StackQL can run in Azure Cloud Shell like any Linux binary; supply service principal credentials via the environment variables described on this page.

How to authenticate StackQL to Azure

StackQL authenticates to Azure with a Microsoft Entra ID (formerly Azure AD) service principal, supplied through three environment variables: AZURE_TENANT_ID, AZURE_CLIENT_ID, and AZURE_CLIENT_SECRET.

Steps

Create a service principal and grant it a role on the target subscription (the Reader role suffices for read-only querying):

az ad sp create-for-rbac --name stackql-sp --role Reader \
  --scopes /subscriptions/<subscription-id>

Export the credentials it returns:

export AZURE_TENANT_ID=your-tenant-id
export AZURE_CLIENT_ID=your-client-id
export AZURE_CLIENT_SECRET=your-client-secret

Pull the Azure provider (first use only):

REGISTRY PULL azure;

Verify with a query:

SELECT name, location
FROM azure.compute.virtual_machines
WHERE subscriptionId = '00000000-1111-2222-3333-444444444444';

The subscriptionId predicate is a required routing parameter of the Azure API, not part of authentication. Methods scoped to a resource group additionally require resourceGroupName; run SHOW METHODS IN azure.compute.virtual_machines to see the required parameters for each access method (list_all needs only subscriptionId; list needs resourceGroupName as well; get needs vmName).

Where the variables apply

The variables work identically across stackql shell, stackql exec, stackql srv (PostgreSQL wire server), and stackql mcp. For MCP clients such as Claude Desktop, place them in the env block of the server entry in claude_desktop_config.json. In CI, source them from the pipeline's secret store.

How to authenticate StackQL to AWS - the AWS equivalent
How to authenticate StackQL to Google Cloud - the GCP equivalent
How to use StackQL with Claude - passing Azure credentials to an MCP session
Control Plane vs Data Plane - what the Resource Manager APIs cover
Common StackQL errors - including authentication failures

Steps​

Where the variables apply​

Related concepts​

Steps

Where the variables apply

Related concepts