Hello, we are using the Pulumi Action in GitHub Actions to preview and deploy the stacks, using a service principal authentication against Azure. I wanted to move away from using environment variables to having the authentication info defined in the stack itself, so moving from ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_SUBSCRIPTION_ID and ARM_TENANT_ID to having

azure-native:clientId: ...
azure-native:clientSecret:
  secure: ...
azure-native:subscriptionId: ...
azure-native:tenantId: ...

in the stack's config file. However, with this change, we started getting this error in the GitHub Action:

azure-native:resources:ResourceGroup <resource-group-name> refreshing (22s) error: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.

What are we missing? I am pretty sure we authenticated in this way before in GitHub Actions.

Hi Standa! At first glance, your configuration seems correct. Which makes me think that perhaps you’re applying it to the wrong stack? Config is per-stack whereas environment variables are global.

It seems like it's picking up the correct stack. In the GitHub action output, I can see

Refresh stack on <org>/shared/develop
  Refreshing (<org>/develop)

The repository looks like this

Shared
  Pulumi.yaml
  Pulumi.develop.yaml
  Pulumi.demo.yaml
  ...

And the action looks like this

name: infrastructure-preview
on:
  pull_request:
    paths:
      - 'Shared/**'
jobs:
  preview:
    name: Preview ${{ matrix.stack }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - stack: shared/develop
            dir: ./Shared
          - stack: shared/demo
            dir: ./Shared
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-dotnet@v3
        with:
          dotnet-version: '7.0.x'
      - name: Preview ${{ matrix.stack }}
        uses: pulumi/actions@v4
        with:
          command: preview
          stack-name: mews/${{ matrix.stack }}
          work-dir: ${{ matrix.dir }}
          diff: true
          refresh: true
        env:
          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}

So I think it should pick up the correct YAML config file...

Ok. Just to confirm, you’re seeing the expected config entries when you run

pulumi config --stack <org>/develop

?

Yes, I do