This message was deleted.
# azures
sparse-intern-71089
08/10/2023, 6:57 AMThis message was deleted.
t
thankful-thailand-77405
08/10/2023, 7:39 AMThis is the error I get
Copy code
pulumi:pulumi:Stack (operator-environment.artigas-int.shared):
error: an unhandled error occurred: 1 error occurred:
* failed to lookup PostgreSQL server: rpc error: code = Unknown desc = invocation of azure-native:dbforpostgresql/v20210601preview:getServer returned an error: request failed /subscriptions/<****>/resourceGroups/default/providers/Microsoft.DBforPostgreSQL/flexibleServers/fr-test-4: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to <https://management.azure.com/subscriptions/><****>/resourceGroups/default/providers/Microsoft.DBforPostgreSQL/flexibleServers/fr-test-4?api-version=2021-06-01-preview: StatusCode=404 -- Original Error: adal: Refresh request failed. Status Code = '404'. Response body: getting assigned identities for pod operator/operator-controller-manager-6fc967455-5rsls in CREATED state failed after 16 attempts, retry duration [5[]s, error: <nil>. Check MIC pod logs for identity assignment errors
Endpoint <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F>thankful-thailand-77405
08/10/2023, 9:25 AM@melodic-tomato-39005 I saw you closed issues/1566 yesteday, is ADAL deprecation coming to the plugin?
m
melodic-tomato-39005
08/13/2023, 9:29 PMHi @thankful-thailand-77405, sorry you’re running into trouble here.
• What version of pulumi-azure-native are you using?
• Did you per chance set `msiEndpoint`/`ARM_MSI_ENDPOINT`?
t
thankful-thailand-77405
08/14/2023, 6:49 AMHello Thomas, thanks for replying. I am running 1.103, so one of the latest before the major version upgrade. I didnt set MSI ENPOINT, I assumed this shouldn't be touched.
m
melodic-tomato-39005
08/14/2023, 7:13 PMHi Federico, by workload identity, do you mean this and this?
I haven’t yet configured this myself. It seems different from the scenarios https://www.pulumi.com/registry/packages/azure-native/installation-configuration/#authenticate-using-managed-service-identity-msi is intended for, like running a program on a trusted VM.
The “adal” error in your logs is indeed odd, MSAL should be used. Did you set `useMsi`/`ARM_USE_MSI`?
t
thankful-thailand-77405
08/15/2023, 1:48 PMHello Thomas, I agree MSI vanilla use case is the one where Azure VMs are prepopulated w/ credentials that allow you to do "MSI" for secret-less auth of workloads.
My comprehension is that, now, with new azure identity libraries MSI auth is also possible on containers using federated workload identities, and that these libraries (like MSAL) handle the token exchange needed all under the hood
I read that this depends on the MSAL version being used though..
thankful-thailand-77405
08/15/2023, 1:51 PMWhat troubles me now, is that today I testing a new setup, where I try to do simple a
pulumi loginthankful-thailand-77405
08/15/2023, 1:52 PMmeaning either I am mis-understanding this workload id auth thing, or that pulumi cli has the same issue azure-native for auth
thankful-thailand-77405
09/19/2023, 8:24 AMcc @bored-spoon-83710
thankful-thailand-77405
09/19/2023, 1:08 PM@melodic-tomato-39005 we noticed today that azidentity has not been updated for a while https://github.com/pulumi/pulumi-azure-native/blob/master/provider/go.mod#L45 which is reason why MSI auth not working when running azure-native as k8s workloads. The workload identity requries = azidentity v1.3.0> , we would happily contribute to this. How should we proceed?
thankful-thailand-77405
09/19/2023, 1:13 PMPlease note that aad-pod-identity (previous solution to workload identity), has been deprecated quite abruptly and AKS drops add on support this month:
11 Views