https://pulumi.com logo
Join Slack
Powered by
<@U038021B1CJ> I saw you were writing about OIDC a...
# azure
s
@melodic-tomato-39005 I saw you were writing about OIDC authentication for pulumi and I have specific questions related to that. I've followed this tutorial to setup workload identity on GKE to communicate with Azure, and it is working well, I see the following vairables automatically propagated inside my pods on GKE cluster:
Copy code
AZURE_AUTHORITY_HOST=<https://login.microsoftonline.com/>
AZURE_CLIENT_ID=XXXXXXXX
AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token
AZURE_TENANT_ID=XXXXX
But these are different from Pulumi required vairable, I was testing something like this:
Copy code
- name: ARM_USE_OIDC
    value: "true"
  - name: ARM_CLIENT_ID
    value: XXXXXXX
  - name: ARM_TENANT_ID
    value: XXXXXXXX
  - name: ARM_OIDC_TOKEN # this is wrong as pulumi expects an actual token, not a path to a token
    value: /var/run/secrets/azure/tokens/azure-identity-token
Are there some option to integrate workload identity as is, without mapping 
AZURE_
variables to 
ARM_
variables? I was expecting pulumi to handle this natively as Azure clients do
hehe, was OIDC support added just 5 days ago? if that's the case, I can understand not all use-cases are covered yet
m
Hi Maksym, we don’t support the 
AZURE_
variables currently and they weren’t on our radar. Terraform, for instance, doesn’t seem to support them either? However, feel free to file an issue about it.
s
Created an issue, thanks Thomas. I may be wrong, but I think implementing that change will make the authentication process better overall.
Open in Slack
PreviousNext
Powered by