https://pulumi.com logo
#azure
Title
# azure
s

shy-mouse-10008

12/04/2023, 11:55 PM
@melodic-tomato-39005 I saw you were writing about OIDC authentication for pulumi and I have specific questions related to that. I've followed this tutorial to setup workload identity on GKE to communicate with Azure, and it is working well, I see the following vairables automatically propagated inside my pods on GKE cluster:
Copy code
AZURE_AUTHORITY_HOST=<https://login.microsoftonline.com/>
AZURE_CLIENT_ID=XXXXXXXX
AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token
AZURE_TENANT_ID=XXXXX
But these are different from Pulumi required vairable, I was testing something like this:
Copy code
- name: ARM_USE_OIDC
    value: "true"
  - name: ARM_CLIENT_ID
    value: XXXXXXX
  - name: ARM_TENANT_ID
    value: XXXXXXXX
  - name: ARM_OIDC_TOKEN # this is wrong as pulumi expects an actual token, not a path to a token
    value: /var/run/secrets/azure/tokens/azure-identity-token
Are there some option to integrate workload identity as is, without mapping
AZURE_
variables to
ARM_
variables? I was expecting pulumi to handle this natively as Azure clients do
hehe, was OIDC support added just 5 days ago? if that's the case, I can understand not all use-cases are covered yet
m

melodic-tomato-39005

12/05/2023, 12:52 PM
Hi Maksym, we don’t support the
AZURE_
variables currently and they weren’t on our radar. Terraform, for instance, doesn’t seem to support them either? However, feel free to file an issue about it.
s

shy-mouse-10008

12/05/2023, 11:59 PM
Created an issue, thanks Thomas. I may be wrong, but I think implementing that change will make the authentication process better overall.