https://pulumi.com logo
Powered by
#general
Title
# general
p

prehistoric-school-19136

11/15/2023, 4:21 PM
We ran into a weird issue with the azure-native provider. We configure a custom provider and use it to create various resources in our stack like so:
Copy code
const customProvider = new azure_native.Provider("customProvider", {
    clientId: process.env.CUSTOM_PROVIDER_CLIENT_ID,
    clientSecret: secret(process.env.CUSTOM_PROVIDER_CLIENT_SECRET!)
});

const roleAssignment = new azure_native.authorization.RoleAssignment("roleAssignment", {
    principalId: objectId,
    principalType: "ServicePrincipal",
    roleAssignmentName: roleName,
    roleDefinitionId: roleId,
    scope: scope
}, {
    provider: customProvider
})
The 
CUSTOM_PROVIDER_CLIENT_SECRET
gets injected via an environment variable from our pipeline, for instance. This setup worked fine for some time until our client secret expired, which we only noticed when it was too late. We then rotated our secrets, including in the pipeline. However, suddenly, all operations that somehow had to refresh the 
roleAssignment
resource started failing with the following error: 
Invalid client secret provided
. This can be provoked when running 
pulumi up --refresh
or 
pulumi destroy --target <urn of the roleAssignment>
, for instance. Are the provider credentials somehow cached in the Pulumi state? How can we fix this issue? We haven't found any fix for this, except manually deleting all affected resources from the state and re-importing them.
the full error:
Copy code
error: Preview failed: autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '...'. Trace ID: ... Correlation ID: ... Timestamp: 2023-11-15 16:14:21Z","error_codes":[7000215],"timestamp":"2023-11-15 16:14:21Z","trace_id":"...","correlation_id":"...","error_uri":"<https://login.microsoftonline.com/error?code=7000215>"}
The secret that's stored in the environment variable is 100% correct, but no matter what we put there, the stack somehow doesn't seem to update the credentials
One thing that also works is to manually update the provider resource
Copy code
pulumi up --target <provider urn>
Powered by