https://pulumi.com logo
Join Slack
Powered by
I'm running into problems after trying out ESC env...
# esc
a
I'm running into problems after trying out ESC environment to configure OIDC authentication against Azure. First it worked but consecutive pulumi operations seem to be using an expired OIDC token. Despite efforts to explicitly disable the use of this environment I'm simply not able to make any deployments now. • Tried removing the environment inheritance from the stack config • Tried logging out of 
az cli
• Tried setting 
useMsi
and 
useOidc
explicitly to false • Tried 
esc open <env_name>
◦ It gives me a fresh valid OIDC token but it doesn't seem to use it • Tried 
pulumi env run <env_name> -- pulumi refresh --yes
It's like the OIDC token is cached from the previous deployment. Any ideas on what's going on?
pulumi operations just hang and eventually time out with the following error:
Copy code
"error":"invalid_client",
"error_description":"AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-01-30T12:07:15.3716609Z, assertion valid from 2024-01-29T16:05:23.0000000Z, expiry time of assertion 2024-01-29T17:05:23.0000000Z."
r
You may have the stale credentials stored in state if they are referenced directly in any of your provider configurations
a
That could well be the case. If I set the token output as a provider config under pulumiConfig rather than using the provider env vars – will that store them in the state and use the same credentials on the next run?
r
Yes, exactly. Ambient credentials should prefer env vars since those are not saved in the state file.
a
Ok understood
r
happy to help!
a
Might be a good idea to mention this in the documentation. I didn't realize refresh would re-use a token from last deployment. Ended up having to delete the stack.
r
Might be a good idea to mention this in the documentation.
That's fair feedback and something we should do!
Ended up having to delete the stack.
I'm surprised to hear that! Why did you have to delete the stack? You couldn't get the stack to use any other fresh credentials otherwise? Can you tell me what all you tried? If deleting the stack is in fact the only way to get out of this situation then that's something we need to fix.
a
This was the configuration I had been using:
Copy code
"pulumniConfig": {
                "azure-native": {
                    "location": "northeurope",
                    "tenantId": "${azure.login.tenantId}",
                    "subscriptionId": "${azure.login.subscriptionId}",
                    "useOidc": True,
                    "oidcToken": "${azure.login.oidc.token}
                }
]
Unable to make any deployments despite: • Removing the 
environment
parameter from my stack config where the config above was used • Explicitly setting 
useOidc
to false • 
az logout
& 
az login
• Removed 
refresh: always
• Tried 
esc open
and 
pulumi env open
to see if that would refresh the token Everything I tried it was as if the old 
oidcToken
was just cached since previous deployment and the deployment would timeout after 5 minutes with the auth error above saying I was using an expired token.
r
Thanks for the details @adventurous-butcher-54166, I brought it up with the team internally and we're looking into it
Open in Slack
PreviousNext
Powered by