https://pulumi.com logo
#general
Title
# general
f

fast-midnight-78448

06/09/2023, 2:31 PM
seems like most of the questions here are unanswered but here we go.. has anyone gotten the Azure DevOps task extensions to work with an Azure blog storage account backend?
b

billowy-army-68599

06/09/2023, 2:57 PM
Most questions do attempt to be answered, depends on timezones. Yes this is entirely possible. Are you experiencing issues?
f

fast-midnight-78448

06/09/2023, 3:09 PM
Yes. Using the task extensions doesn't seem to auth to the SA
Copy code
- task: AzureCLI@2
    inputs:
      azureSubscription: 'entcu-Operations-Development'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |        
        $env:AZURE_STORAGE_KEY=$(az storage account keys list --account-name "$(storageAccountName)" -g "$(resourceGroupName)" -o tsv --query '[0].value')
        $env:AZURE_STORAGE_ACCOUNT="$(storageAccountName)"
        $env:PULUMI_CONFIG_PASSPHRASE="$env:Mapped_pulumiPassphrase"
        
        #pulumi login azblob://$containerName <-- this does not work because pulumi is not installed at this point
    env:
      Mapped_pulumiPassphrase: $(pulumiPassphrase)
  - task: Pulumi@1
    inputs:
      azureSubscription: 'entcu-Operations-Development'
      command: 'preview'
      cwd: './pulumi/aci-agent/csharp'
      stack: 'dev'
      loginArgs: 'azblob://$(containerName)?storage_account=$(storageAccountName)' <-- This request is not authorized to perform this operation.
b

billowy-army-68599

06/09/2023, 3:15 PM
I’m not personally super familiar with azure devops, so can’t help you with the understanding of how to pass credentials between tasks. However, it looks like you just need to pass the env vars from one task to another? a quick google found me this: https://theautomationcode.com/how-to-pass-variables-between-tasks-in-azure-pipeline/ Looks like it might work?
f

fast-midnight-78448

06/09/2023, 4:02 PM
I will play with this some more. Azure portal is currently down so I can't make much progress ATM
No dice. I get
error: problem logging in: read ".pulumi\\meta.yaml": blob (key ".pulumi/meta.yaml") (code=Unknown): ===== RESPONSE ERROR (ErrorCode=AuthorizationFailure) =====
b

billowy-army-68599

06/09/2023, 7:40 PM
have you set these env vars?
Copy code
Set-Item -Path env:AZURE_STORAGE_ACCOUNT -Value {storage account}
Set-Item -Path env:AZURE_STORAGE_SAS_TOKEN -Value "{SAS token}"
Set-Item -Path env:AZURE_KEYVAULT_AUTH_VIA_CLI -Value $true
the underlying auth for pulumi state backends is handled by go-cloud, info here: https://pkg.go.dev/gocloud.dev/blob/azureblob
f

fast-midnight-78448

06/09/2023, 7:43 PM
yeah, locally I have this script working that does
Copy code
$env:AZURE_STORAGE_ACCOUNT="$(storageAccountName)"
...
pulumi login azblob://$containerName
b

billowy-army-68599

06/09/2023, 7:43 PM
and how do you auth locally?
f

fast-midnight-78448

06/09/2023, 7:45 PM
I have a powershell script:
Copy code
$env:AZURE_STORAGE_KEY=$(az storage account keys list --account-name $saName -g $rgName -o tsv --query '[0].value')
$env:AZURE_STORAGE_ACCOUNT=$saName
$env:PULUMI_CONFIG_PASSPHRASE='...'

pulumi login azblob://$containerName
I run this before I do any other pulumi commands
b

billowy-army-68599

06/09/2023, 7:47 PM
okay but your azure auth is done via the az cli right? in order for
az storage account keys list
to work, you need to have authenticated to azure first? How are you getting credentials locally, and what are you doing in the azure pipelines task to get credentials?
f

fast-midnight-78448

06/09/2023, 7:49 PM
oh yes sorry I misunderstood. it's just with
az login
. In Azure DevOps the cli task is logged in a service principal
b

billowy-army-68599

06/09/2023, 7:50 PM
Or maybe not, in either case, validating your credentials are valid in a task before the Pulumi login task would be a good idea
f

fast-midnight-78448

06/13/2023, 8:05 PM
We're still having some issues but I think it's an ADO <> Azure think at the moment. Here's how I got it to work on my personal sub
Copy code
- task: AzureCLI@2
    displayName: "Pulumi Setup"
    inputs:
      azureSubscription: ''
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |        
        $accountKey = $(az storage account keys list --account-name "$(storageAccountName)" -g "$(resourceGroupName)" -o tsv --query '[0].value')

        Write-Host "##vso[task.setvariable variable=AZURE_STORAGE_KEY;]$accountKey"
  - task: Pulumi@1
    inputs:
      azureSubscription: ''
      command: 'preview'
      loginArgs: 'azblob://$(containerName)'
      stack: 'dev'
      createStack: true
    env:    
      AZURE_STORAGE_KEY: $(AZURE_STORAGE_KEY)
      AZURE_STORAGE_ACCOUNT: $(storageAccountName)
      PULUMI_CONFIG_PASSPHRASE: $(pulumiPassphrase) #this is a pipeline secret variable
  - task: Pulumi@1
    inputs:
      azureSubscription: ''
      command: 'up'
      args: '--yes'
      loginArgs: 'azblob://$(containerName)'
      stack: 'dev'
    env:    
      AZURE_STORAGE_KEY: $(AZURE_STORAGE_KEY)
      AZURE_STORAGE_ACCOUNT: $(storageAccountName)
      PULUMI_CONFIG_PASSPHRASE: $(pulumiPassphrase)