https://pulumi.com logo
#azure
Title
# azure
r

rhythmic-activity-46295

02/08/2024, 5:41 PM
Good Evening! We have recently started to find authentication issues with pulumi versions above 3.104.1 while installing pulumi and deploying via CI/CD pipelines in Azure. We use a service pricipal sustained by a SSL certificate in our pipelines. If we use version 3.104.1 all goes well. We use an Azure Keyvault Key for our secrets provider. I am wondering if any one on this channel have faced same issue and how did they solve it? seems to be related to this issue : https://github.com/pulumi/pulumi/issues/15127 , so it looks like a regression to me?! Kind regards, Francisco
s

steep-pager-59220

02/09/2024, 12:12 PM
Interesting, did you use pulumi versions below 3.104.1 before that were working? Also, just to check, but you're getting this error during a
pulumi refresh
operation?
We thought this would be fixed with https://github.com/pulumi/pulumi/pull/15334, but evidently there's still an issue here
Also another question, how are you setting the SSL certificate up? Are you using the
AZURE_CLIENT_CERTIFICATE_PATH
env variable or something else? And also would you be willing to send me the output of
openssl x509 -in cert.pem -noout -text
with
cert.pem
replaced by wherever you store your certificate? I'm mostly curious about signature and public key algorithms. Can be in a DM, redacting as much as you want.
I've been trying to reproduce the issue locally, but so far haven't managed
r

rhythmic-activity-46295

02/12/2024, 10:48 AM
hi Thomas, yes, all pipelines work up to version 3.104.1, we found it first on refresh but it is also an issue on install.
• We (A colleague of mine) have in the meanwhile found what the issue was: We had some incorrectly named variables,
AZURE_CERTIFICATE_*
instead of
AZURE_CLIENT_CERTIFICATE_*
. • The Azure SDK presumably switched away from the
ARM_*
variables, and eventually the change finally made its way into Pulumi 3.104.2.
s

steep-pager-59220

02/15/2024, 12:09 PM
Hi, I'm glad you worked it out (And sorry for the slow reply here, I had a few days off in the beginning of the week).
The Azure SDK presumably switched away from the
ARM_*
variables, and eventually the change finally made its way into Pulumi 3.104.2.
Yes, this sounds very plausible. In Pulumi 3.104.2 we upgraded the gocloud.dev dependency, which also included upgrades for the Azure SDK. (We did the upgrade in 3.104.0, had to revert in 3.104.1, but realized we needed to fix it forward, so we upgraded again in 3.104.2)