prehistoric-school-19136
11/15/2023, 4:21 PMconst customProvider = new azure_native.Provider("customProvider", {
clientId: process.env.CUSTOM_PROVIDER_CLIENT_ID,
clientSecret: secret(process.env.CUSTOM_PROVIDER_CLIENT_SECRET!)
});
const roleAssignment = new azure_native.authorization.RoleAssignment("roleAssignment", {
principalId: objectId,
principalType: "ServicePrincipal",
roleAssignmentName: roleName,
roleDefinitionId: roleId,
scope: scope
}, {
provider: customProvider
})
The CUSTOM_PROVIDER_CLIENT_SECRET
gets injected via an environment variable from our pipeline, for instance. This setup worked fine for some time until our client secret expired, which we only noticed when it was too late. We then rotated our secrets, including in the pipeline.
However, suddenly, all operations that somehow had to refresh the roleAssignment
resource started failing with the following error: Invalid client secret provided
. This can be provoked when running pulumi up --refresh
or pulumi destroy --target <urn of the roleAssignment>
, for instance.
Are the provider credentials somehow cached in the Pulumi state? How can we fix this issue? We haven't found any fix for this, except manually deleting all affected resources from the state and re-importing them.error: Preview failed: autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '...'. Trace ID: ... Correlation ID: ... Timestamp: 2023-11-15 16:14:21Z","error_codes":[7000215],"timestamp":"2023-11-15 16:14:21Z","trace_id":"...","correlation_id":"...","error_uri":"<https://login.microsoftonline.com/error?code=7000215>"}
pulumi up --target <provider urn>