https://pulumi.com logo
#esc
Title
# esc
a

adventurous-butcher-54166

01/30/2024, 12:31 PM
I'm running into problems after trying out ESC environment to configure OIDC authentication against Azure. First it worked but consecutive pulumi operations seem to be using an expired OIDC token. Despite efforts to explicitly disable the use of this environment I'm simply not able to make any deployments now. • Tried removing the environment inheritance from the stack config • Tried logging out of
az cli
• Tried setting
useMsi
and
useOidc
explicitly to false • Tried
esc open <env_name>
◦ It gives me a fresh valid OIDC token but it doesn't seem to use it • Tried
pulumi env run <env_name> -- pulumi refresh --yes
It's like the OIDC token is cached from the previous deployment. Any ideas on what's going on?
pulumi operations just hang and eventually time out with the following error:
Copy code
"error":"invalid_client",
"error_description":"AADSTS700024: Client assertion is not within its valid time range. Current time: 2024-01-30T12:07:15.3716609Z, assertion valid from 2024-01-29T16:05:23.0000000Z, expiry time of assertion 2024-01-29T17:05:23.0000000Z."
r

red-match-15116

01/30/2024, 9:44 PM
You may have the stale credentials stored in state if they are referenced directly in any of your provider configurations
a

adventurous-butcher-54166

01/30/2024, 10:29 PM
That could well be the case. If I set the token output as a provider config under pulumiConfig rather than using the provider env vars – will that store them in the state and use the same credentials on the next run?
r

red-match-15116

01/30/2024, 10:47 PM
Yes, exactly. Ambient credentials should prefer env vars since those are not saved in the state file.
a

adventurous-butcher-54166

01/30/2024, 10:50 PM
Ok understood
r

red-match-15116

01/30/2024, 10:53 PM
happy to help!
a

adventurous-butcher-54166

01/31/2024, 9:06 AM
Might be a good idea to mention this in the documentation. I didn't realize refresh would re-use a token from last deployment. Ended up having to delete the stack.
r

red-match-15116

01/31/2024, 4:58 PM
Might be a good idea to mention this in the documentation.
That's fair feedback and something we should do!
Ended up having to delete the stack.
I'm surprised to hear that! Why did you have to delete the stack? You couldn't get the stack to use any other fresh credentials otherwise? Can you tell me what all you tried? If deleting the stack is in fact the only way to get out of this situation then that's something we need to fix.
a

adventurous-butcher-54166

01/31/2024, 5:06 PM
This was the configuration I had been using:
Copy code
"pulumniConfig": {
                "azure-native": {
                    "location": "northeurope",
                    "tenantId": "${azure.login.tenantId}",
                    "subscriptionId": "${azure.login.subscriptionId}",
                    "useOidc": True,
                    "oidcToken": "${azure.login.oidc.token}
                }
]
Unable to make any deployments despite: • Removing the
environment
parameter from my stack config where the config above was used • Explicitly setting
useOidc
to false •
az logout
&
az login
• Removed
refresh: always
• Tried
esc open
and
pulumi env open
to see if that would refresh the token Everything I tried it was as if the old
oidcToken
was just cached since previous deployment and the deployment would timeout after 5 minutes with the auth error above saying I was using an expired token.
r

red-match-15116

01/31/2024, 5:39 PM
Thanks for the details @adventurous-butcher-54166, I brought it up with the team internally and we're looking into it