https://pulumi.com logo
#azure
Title
# azure
m

many-pager-46142

02/08/2024, 7:13 PM
Hi everyone, wondering if anyone has gotten Pulumi Azure task extension for Azure Pipelines to work without setting
PULUMI_ACCESS_TOKEN
?
I have azure storage and secrets backends setup instead of using pulumi cloud.
r

rhythmic-activity-46295

02/08/2024, 7:53 PM
hi Reuben, in our pipeline templates we use a ssl cert, setting up a few env variables in an AzureCli@2 inline script task: # Variables required by Pulumi's Azure providers. $certLocalPath = "${{ variables.cert_local_path }}" Write-Host "##vso[task.setvariable variable=ARM_SUBSCRIPTION_ID]$(PULUMISTORAGEACCOUNTSUBSCRIPTION)" Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID]$env:servicePrincipalId" Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID]$env:tenantId" Write-Host "##vso[task.setvariable variable=ARM_CLIENT_CERTIFICATE_PATH]$certLocalPath" Write-Host "##vso[task.setvariable variable=AZURE_SUBSCRIPTION_ID]$(PULUMISTORAGEACCOUNTSUBSCRIPTION)" Write-Host "##vso[task.setvariable variable=AZURE_CLIENT_ID]$env:servicePrincipalId" Write-Host "##vso[task.setvariable variable=AZURE_TENANT_ID]$env:tenantId" Write-Host "##vso[task.setvariable variable=AZURE_CERTIFICATE_PATH]$certLocalPath" Then we download the service principal cert to $certLocalPath inlineScript: | $certData = try { [Convert]::FromBase64String('$(PRIMARYSERVICEPRINCIPALCERTIFICATE)') } catch {} if ($certData) { Write-Host '--- Decode & create service principal certificate ---' Set-Content ${{ variables.cert_local_path }} -Value $certData -AsByteStream } else { Write-Host '--- Certificate data is missing or invalid. Skipping certificate file creation. ---' Write-Host '--- This is fine if your pipeline does not create any Azure resources. ---' } of course rbac perms for the principal are required. We bootstrap that via pulumi as well on a different stack... Hope this helps!
m

many-pager-46142

02/08/2024, 8:00 PM
@rhythmic-activity-46295, what does your pipeline yaml look like?
r

rhythmic-activity-46295

02/08/2024, 8:05 PM
we use a common repo to contain main templates which are then referred by our pipelines in general. the following two tasks are required to use pulumi via service principal rbac perms
there is a lot more to it but.. I guess I can leave here the idea of using the actual service principal to access the pulumi storage account via rbac. auth is done using the cert.
m

many-pager-46142

02/08/2024, 8:26 PM
Ok, thanks. The SSL cert auth is bit more complex than I'm ready for right now 🙂 . Esp since I'm not an admin and would have to request access. I wound up plugged in my current API token and as the issue stated, it still logs in via the azure storage backend. So now I just need to request the appropriate service connection access since the pipeline is failing when it attempts to fetch from azure storage.
Copy code
# AZURE_STORAGE_CONTAINER is listed under variables

- job: Pulumi
  condition: in(variables['Build.Reason'], 'Manual')
  steps:
  - task: Pulumi@1
    inputs:
      azureSubscription: $(subscriptionConnectionName)
      command: up
      args: '--yes --logtostderr'
      cwd: $(cwd)
      stack: dev
    env:
      PULUMI_ACCESS_TOKEN: $(pulumiAccessToken)
      AZURE_STORAGE_ACCOUNT: $(storageAccount)