seems like most of the questions here are unanswered but her Pulumi Community #general

seems like most of the questions here are unanswer...

fast-midnight-78448

06/09/2023, 2:31 PM

seems like most of the questions here are unanswered but here we go.. has anyone gotten the Azure DevOps task extensions to work with an Azure blog storage account backend?

billowy-army-68599

06/09/2023, 2:57 PM

Most questions do attempt to be answered, depends on timezones. Yes this is entirely possible. Are you experiencing issues?

fast-midnight-78448

06/09/2023, 3:09 PM

Yes. Using the task extensions doesn't seem to auth to the SA

Copy code

- task: AzureCLI@2
    inputs:
      azureSubscription: 'entcu-Operations-Development'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |        
        $env:AZURE_STORAGE_KEY=$(az storage account keys list --account-name "$(storageAccountName)" -g "$(resourceGroupName)" -o tsv --query '[0].value')
        $env:AZURE_STORAGE_ACCOUNT="$(storageAccountName)"
        $env:PULUMI_CONFIG_PASSPHRASE="$env:Mapped_pulumiPassphrase"
        
        #pulumi login azblob://$containerName <-- this does not work because pulumi is not installed at this point
    env:
      Mapped_pulumiPassphrase: $(pulumiPassphrase)
  - task: Pulumi@1
    inputs:
      azureSubscription: 'entcu-Operations-Development'
      command: 'preview'
      cwd: './pulumi/aci-agent/csharp'
      stack: 'dev'
      loginArgs: 'azblob://$(containerName)?storage_account=$(storageAccountName)' <-- This request is not authorized to perform this operation.

billowy-army-68599

06/09/2023, 3:15 PM

I’m not personally super familiar with azure devops, so can’t help you with the understanding of how to pass credentials between tasks. However, it looks like you just need to pass the env vars from one task to another? a quick google found me this: https://theautomationcode.com/how-to-pass-variables-between-tasks-in-azure-pipeline/ Looks like it might work?

fast-midnight-78448

06/09/2023, 4:02 PM

I will play with this some more. Azure portal is currently down so I can't make much progress ATM

fast-midnight-78448

06/09/2023, 7:28 PM

No dice. I get

error: problem logging in: read ".pulumi\\meta.yaml": blob (key ".pulumi/meta.yaml") (code=Unknown): ===== RESPONSE ERROR (ErrorCode=AuthorizationFailure) =====

billowy-army-68599

06/09/2023, 7:40 PM

have you set these env vars?

Copy code

Set-Item -Path env:AZURE_STORAGE_ACCOUNT -Value {storage account}
Set-Item -Path env:AZURE_STORAGE_SAS_TOKEN -Value "{SAS token}"
Set-Item -Path env:AZURE_KEYVAULT_AUTH_VIA_CLI -Value $true

billowy-army-68599

06/09/2023, 7:41 PM

the underlying auth for pulumi state backends is handled by go-cloud, info here: https://pkg.go.dev/gocloud.dev/blob/azureblob

fast-midnight-78448

06/09/2023, 7:43 PM

yeah, locally I have this script working that does

Copy code

$env:AZURE_STORAGE_ACCOUNT="$(storageAccountName)"
...
pulumi login azblob://$containerName

billowy-army-68599

06/09/2023, 7:43 PM

and how do you auth locally?

fast-midnight-78448

06/09/2023, 7:45 PM

I have a powershell script:

Copy code

$env:AZURE_STORAGE_KEY=$(az storage account keys list --account-name $saName -g $rgName -o tsv --query '[0].value')
$env:AZURE_STORAGE_ACCOUNT=$saName
$env:PULUMI_CONFIG_PASSPHRASE='...'

pulumi login azblob://$containerName

I run this before I do any other pulumi commands

billowy-army-68599

06/09/2023, 7:47 PM

okay but your azure auth is done via the az cli right? in order for

az storage account keys list

to work, you need to have authenticated to azure first? How are you getting credentials locally, and what are you doing in the azure pipelines task to get credentials?

fast-midnight-78448

06/09/2023, 7:49 PM

oh yes sorry I misunderstood. it's just with

az login

. In Azure DevOps the cli task is logged in a service principal

billowy-army-68599

06/09/2023, 7:50 PM

Ah. That’s probably this https://github.com/pulumi/pulumi/issues/7022

billowy-army-68599

06/09/2023, 7:52 PM

Or maybe not, in either case, validating your credentials are valid in a task before the Pulumi login task would be a good idea

fast-midnight-78448

06/13/2023, 8:05 PM

We're still having some issues but I think it's an ADO <> Azure think at the moment. Here's how I got it to work on my personal sub

Copy code

- task: AzureCLI@2
    displayName: "Pulumi Setup"
    inputs:
      azureSubscription: ''
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |        
        $accountKey = $(az storage account keys list --account-name "$(storageAccountName)" -g "$(resourceGroupName)" -o tsv --query '[0].value')

        Write-Host "##vso[task.setvariable variable=AZURE_STORAGE_KEY;]$accountKey"
  - task: Pulumi@1
    inputs:
      azureSubscription: ''
      command: 'preview'
      loginArgs: 'azblob://$(containerName)'
      stack: 'dev'
      createStack: true
    env:    
      AZURE_STORAGE_KEY: $(AZURE_STORAGE_KEY)
      AZURE_STORAGE_ACCOUNT: $(storageAccountName)
      PULUMI_CONFIG_PASSPHRASE: $(pulumiPassphrase) #this is a pipeline secret variable
  - task: Pulumi@1
    inputs:
      azureSubscription: ''
      command: 'up'
      args: '--yes'
      loginArgs: 'azblob://$(containerName)'
      stack: 'dev'
    env:    
      AZURE_STORAGE_KEY: $(AZURE_STORAGE_KEY)
      AZURE_STORAGE_ACCOUNT: $(storageAccountName)
      PULUMI_CONFIG_PASSPHRASE: $(pulumiPassphrase)

Open in Slack

Previous Next