lemon-church-28946
09/19/2023, 8:05 PMaz login
• Per the docs, we should be able to use the following environment variables for authentication:
ARM_CLIENT_ID
ARM_CLIENT_SECRET
ARM_TENANT_ID
ARM_SUBSCRIPTION_ID
ARM_LOCATION_NAME
• After setting them with the same values as az login
, this error arises:
azure.identity._exceptions.CredentialUnavailableError: Please run 'az login' to set up an account
• Setting -v=9
, reveals this to be the culprit, but I'm unsure how to ensure that the environment variables are used to authenticate prior to execution of the command.
subprocess.CalledProcessError: Command '['/bin/sh', '-c', 'az account get-access-token --output json --resource <https://management.azure.com>']' returned non-zero exit status 1.
• Ironically, another error specifying that service principal credentials should be supplied via configurations/environment variables is thrown when az login
is used.
• Just tried setting values in the the config file and the same behavior is exhibited....
What in the world am I overlooking!??!fast-vr-6049
09/19/2023, 9:06 PMaz
CLI in a CI scenario is not recommended; have you tried using one of the alternatives?lemon-church-28946
09/19/2023, 9:49 PMaz
itself is used by the Azure Native library. I could be mistaken about that.
The following bash snippet is used to set the environment variables by reading them from a JSON document procured from HCP Vault:
SECRETS=/tmp/secrets.json
vault kv get -mount="$VAULT_SECRET_MOUNT" \
-format=json "$VAULT_SECRET_NAME" | jq ".data.data" > $SECRETS
for KEY in $(jq -r "keys[]" $SECRETS); do
echo "Setting Environment Variable: $KEY";
VALUE=$(jq -r ".${KEY}" $SECRETS);
eval "export ${KEY}=${VALUE@Q}";
done
rm $SECRETS
I can confirm this approach works and that the values are valid as has been consistently effective for other providers like AWS, Fastly, and DigitalOcean.fast-vr-6049
09/19/2023, 10:00 PMeval
is creating those variables in a child process, which are not getting propagated to the parent and thus not propagated to subsequent CI steps. Perhaps you could try removing eval
? Maybe something as simple as export ${KEY}=${VALUE@Q}
? Or, if eval
must be present, you could try export ${KEY}=$(eval ${VALUE@Q})
lemon-church-28946
09/19/2023, 10:03 PM. set_vars.sh
I actually have guard rails in the Pulumi program to ensure that the environment variables are present, otherwise it throws an error. They're definitely there 😄pulumi_azure_native>=1.67.0
I'll bet that's the issue. Going to bump that and see if it does the thing 🤞fast-vr-6049
09/19/2023, 10:08 PMlemon-church-28946
09/19/2023, 10:11 PM>=
.
2.6.0
is currently installed. Upgrading to 2.8.0
now. Maybe that'll help.fast-vr-6049
09/19/2023, 10:39 PMdo that
I mean using the pulumi config set azure-native:<key>
methodlemon-church-28946
09/19/2023, 10:50 PMaz account access
command runs fine after using az login
Starting to wonder if there's a misconfiguration with the service principal/app.fast-vr-6049
09/19/2023, 10:56 PMlemon-church-28946
09/19/2023, 11:01 PMazure.identity.AzureCliCredential
object from when I was using CLI authentication
The system had been working for years, so it slipped my mind.
Thanks so much for your help!fast-vr-6049
09/19/2023, 11:18 PM