This message was deleted.

Most questions do attempt to be answered, depends on timezones. Yes this is entirely possible. Are you experiencing issues?

Yes. Using the task extensions doesn't seem to auth to the SA

- task: AzureCLI@2
    inputs:
      azureSubscription: 'entcu-Operations-Development'
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |        
        $env:AZURE_STORAGE_KEY=$(az storage account keys list --account-name "$(storageAccountName)" -g "$(resourceGroupName)" -o tsv --query '[0].value')
        $env:AZURE_STORAGE_ACCOUNT="$(storageAccountName)"
        $env:PULUMI_CONFIG_PASSPHRASE="$env:Mapped_pulumiPassphrase"
        
        #pulumi login azblob://$containerName <-- this does not work because pulumi is not installed at this point
    env:
      Mapped_pulumiPassphrase: $(pulumiPassphrase)
  - task: Pulumi@1
    inputs:
      azureSubscription: 'entcu-Operations-Development'
      command: 'preview'
      cwd: './pulumi/aci-agent/csharp'
      stack: 'dev'
      loginArgs: 'azblob://$(containerName)?storage_account=$(storageAccountName)' <-- This request is not authorized to perform this operation.

I’m not personally super familiar with azure devops, so can’t help you with the understanding of how to pass credentials between tasks. However, it looks like you just need to pass the env vars from one task to another? a quick google found me this: https://theautomationcode.com/how-to-pass-variables-between-tasks-in-azure-pipeline/ Looks like it might work?

I will play with this some more. Azure portal is currently down so I can't make much progress ATM

have you set these env vars?

Set-Item -Path env:AZURE_STORAGE_ACCOUNT -Value {storage account}
Set-Item -Path env:AZURE_STORAGE_SAS_TOKEN -Value "{SAS token}"
Set-Item -Path env:AZURE_KEYVAULT_AUTH_VIA_CLI -Value $true

yeah, locally I have this script working that does

$env:AZURE_STORAGE_ACCOUNT="$(storageAccountName)"
...
pulumi login azblob://$containerName

and how do you auth locally?

I have a powershell script:

$env:AZURE_STORAGE_KEY=$(az storage account keys list --account-name $saName -g $rgName -o tsv --query '[0].value')
$env:AZURE_STORAGE_ACCOUNT=$saName
$env:PULUMI_CONFIG_PASSPHRASE='...'

pulumi login azblob://$containerName

I run this before I do any other pulumi commands

okay but your azure auth is done via the az cli right? in order for

az storage account keys list

to work, you need to have authenticated to azure first? How are you getting credentials locally, and what are you doing in the azure pipelines task to get credentials?

oh yes sorry I misunderstood. it's just with

az login

. In Azure DevOps the cli task is logged in a service principal

Ah. That’s probably this https://github.com/pulumi/pulumi/issues/7022

We're still having some issues but I think it's an ADO <> Azure think at the moment. Here's how I got it to work on my personal sub

- task: AzureCLI@2
    displayName: "Pulumi Setup"
    inputs:
      azureSubscription: ''
      scriptType: 'pscore'
      scriptLocation: 'inlineScript'
      inlineScript: |        
        $accountKey = $(az storage account keys list --account-name "$(storageAccountName)" -g "$(resourceGroupName)" -o tsv --query '[0].value')

        Write-Host "##vso[task.setvariable variable=AZURE_STORAGE_KEY;]$accountKey"
  - task: Pulumi@1
    inputs:
      azureSubscription: ''
      command: 'preview'
      loginArgs: 'azblob://$(containerName)'
      stack: 'dev'
      createStack: true
    env:    
      AZURE_STORAGE_KEY: $(AZURE_STORAGE_KEY)
      AZURE_STORAGE_ACCOUNT: $(storageAccountName)
      PULUMI_CONFIG_PASSPHRASE: $(pulumiPassphrase) #this is a pipeline secret variable
  - task: Pulumi@1
    inputs:
      azureSubscription: ''
      command: 'up'
      args: '--yes'
      loginArgs: 'azblob://$(containerName)'
      stack: 'dev'
    env:    
      AZURE_STORAGE_KEY: $(AZURE_STORAGE_KEY)
      AZURE_STORAGE_ACCOUNT: $(storageAccountName)
      PULUMI_CONFIG_PASSPHRASE: $(pulumiPassphrase)