https://pulumi.com logo
#general
Title
# general
f

flat-sunset-64442

12/08/2023, 10:10 AM
Hi! Has anyone used the Azure OIDC federated credentials when deploying Pulumi applications from GitHub Actions? I guess I've done something wrong, but can't figure out what... OIDC seems to work since I can run
azure/login@v1
without issues. Getting this error message:
Copy code
/home/runner/work/_actions/pulumi/actions/v4/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/errors.js:77
                      : new CommandError(result);
  ^
  CommandError: code: -2
   stdout: 
   stderr: Command failed with exit code 255: pulumi preview --diff --exec-agent pulumi/actions@v3 --color auto --exec-kind auto.local --event-log /tmp/automation-logs-preview-y7QDVg/eventlog.txt --stack tst --non-interactive
  warning: GOCOVERDIR not set, no coverage data emitted
  error: getting stack configuration: get stack secrets manager: secrets (code=InvalidArgument): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://***.<http://azure.net/keys/pulumi-encryption-key-tst//decrypt?api-version=7.0|azure.net/keys/pulumi-encryption-key-tst//decrypt?api-version=7.0>: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>
   err?: Error: Command failed with exit code 255: pulumi preview --diff --exec-agent pulumi/actions@v3 --color auto --exec-kind auto.local --event-log /tmp/automation-logs-preview-y7QDVg/eventlog.txt --stack tst --non-interactive
  warning: GOCOVERDIR not set, no coverage data emitted
  error: getting stack configuration: get stack secrets manager: secrets (code=InvalidArgument): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://***.<http://vault.azure.net/keys/pulumi-encryption-key-tst//decrypt?api-version=7.0|vault.azure.net/keys/pulumi-encryption-key-tst//decrypt?api-version=7.0>: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>
  
      at Object.createCommandError (/home/runner/work/_actions/pulumi/actions/v4/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/errors.js:77:1)
      at Object.<anonymous> (/home/runner/work/_actions/pulumi/actions/v4/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/cmd.js:76:1)
      at Generator.throw (<anonymous>)
      at rejected (/home/runner/work/_actions/pulumi/actions/v4/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/cmd.js:19:1)
      at runMicrotasks (<anonymous>)
      at processTicksAndRejections (node:internal/process/task_queues:96:5)
This is what the step looks like in GitHub Actions:
Copy code
- name: "Pulumi preview"
	uses: pulumi/actions@v4
	with:
	  pulumi-version: 3.96.1
	  command: preview
	  stack-name: ${{ inputs.stack_name }}
	  cloud-url: ${{ inputs.stack_url }}
	  comment-on-pr: true
	  diff: true
	  work-dir: ${{ inputs.working_directory }}
	env:
	  ARM_USE_OIDC: "true"
l

late-window-4903

12/08/2023, 3:52 PM
I assume you're using Azure Key Vault for the secrets? Have you set
AZURE_KEYVAULT_AUTH_VIA_CLI=true
in the env? The SDK won't pickup the CLI login without that. Edit: The error doesn't look exactly like the ones I've ran into, so I'm just guessing.
f

flat-sunset-64442

12/11/2023, 6:44 AM
Yeah, thanks for trying to help, but I don't think that's the issue 🤔