I'm running into problems after trying out ESC env...
# esc
I'm running into problems after trying out ESC environment to configure OIDC authentication against Azure. First it worked but consecutive pulumi operations seem to be using an expired OIDC token. Despite efforts to explicitly disable the use of this environment I'm simply not able to make any deployments now. • Tried removing the environment inheritance from the stack config • Tried logging out of
az cli
• Tried setting
explicitly to false • Tried
esc open <env_name>
◦ It gives me a fresh valid OIDC token but it doesn't seem to use it • Tried
pulumi env run <env_name> -- pulumi refresh --yes
It's like the OIDC token is cached from the previous deployment. Any ideas on what's going on?
pulumi operations just hang and eventually time out with the following error:
Copy code
"error_description":"AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-01-30T12:07:15.3716609Z, assertion valid from 2024-01-29T16:05:23.0000000Z, expiry time of assertion 2024-01-29T17:05:23.0000000Z."
You may have the stale credentials stored in state if they are referenced directly in any of your provider configurations
That could well be the case. If I set the token output as a provider config under pulumiConfig rather than using the provider env vars – will that store them in the state and use the same credentials on the next run?
Yes, exactly. Ambient credentials should prefer env vars since those are not saved in the state file.
Ok understood
happy to help!
Might be a good idea to mention this in the documentation. I didn't realize refresh would re-use a token from last deployment. Ended up having to delete the stack.
Might be a good idea to mention this in the documentation.
That's fair feedback and something we should do!
Ended up having to delete the stack.
I'm surprised to hear that! Why did you have to delete the stack? You couldn't get the stack to use any other fresh credentials otherwise? Can you tell me what all you tried? If deleting the stack is in fact the only way to get out of this situation then that's something we need to fix.
This was the configuration I had been using:
Copy code
"pulumniConfig": {
                "azure-native": {
                    "location": "northeurope",
                    "tenantId": "${azure.login.tenantId}",
                    "subscriptionId": "${azure.login.subscriptionId}",
                    "useOidc": True,
                    "oidcToken": "${azure.login.oidc.token}
Unable to make any deployments despite: • Removing the
parameter from my stack config where the config above was used • Explicitly setting
to false •
az logout
az login
• Removed
refresh: always
• Tried
esc open
pulumi env open
to see if that would refresh the token Everything I tried it was as if the old
was just cached since previous deployment and the deployment would timeout after 5 minutes with the auth error above saying I was using an expired token.
Thanks for the details @adventurous-butcher-54166, I brought it up with the team internally and we're looking into it