https://pulumi.com logo
#azure
Title
# azure
d

dry-secretary-46556

03/27/2024, 4:14 PM
Hi everyone I am trying to create an app registration in azure with the
azuread provider
. My stack is able to run without issues when authenticating via
az login
. However, when I try to authenticate via service principal I get the following error:
* A Subscription ID must be configured when authenticating as a Service Principal using a Client Secret.
. I added the subscription ID to my pulumi config like so
azuread:subscriptionId: aaaabbbb-abba-aaaa-bbbb-aaa111bbbbb
. I then get the following error:
could not validate provider configuration: 1 error occurred: * Invalid or unknown key
. It seems like the azuread provider is missing the
subscriptionId
key to properly authenticate via service principal. Some reference docs, any help would be appreciated! https://www.pulumi.com/registry/packages/azuread/installation-configuration/#authenticate-using-a-service-principal https://www.pulumi.com/registry/packages/azuread/api-docs/provider/
f

fast-sandwich-30809

03/27/2024, 7:17 PM
Azure Auth is a headache and a half
I'm not in an identical boat, as we use MSI / an attached managed identity on the build VM. We're reading in the
tenantId
and
clientId
from environment variables, and
subscriptionId
from an argument
Ah, my apologies - I'm using the azure-native provider, not azuread. You are right in that the azruead provider doesn't take that option - that's weird - do you specify a
tenantId
? Theoretically that should be all it needs to find what to auth against
d

dry-secretary-46556

03/27/2024, 7:25 PM
Thanks for your help, I have
azuread:tenantId
,
azuread:clientId
, and
azuread:clientSecret
configured but it still complains about a missing subscription ID.
a

adventurous-butcher-54166

04/03/2024, 2:53 PM
Interesting... Does any of the following work? • Setting
ARM_SUBSCRIPTION_ID
env var • Or
az login --allow-no-subscriptions --tenant "<your tenant id>"
If not maybe you could use ServicePrincipalPassword - which btw is not the same as ApplicationPassword (client credentials). Haven't tested the SP PWD myself though and I believe this password is not available in the portal.
d

dry-secretary-46556

04/03/2024, 3:58 PM
Setting the
ARM_SUBSCRIPTION_ID
env var works, however I am trying to avoid this because it makes deployments more difficult for us and each developer would have to set this variable in this local stack to run Pulumi. Is there a way to programmatically set the env vars when I run
pulumi up -y
so that no additional shell commands needed to be run for the stack to provision? How would I authenticate the azuread provider using ServicePrincipalPassword? I cant find documentation on this.
a

adventurous-butcher-54166

04/03/2024, 4:13 PM
I feel your pain... You could potentially use Pulumi ESC if you're comfortable with implementing that, then use environemnt in your pulumi and either: • Set up OIDC authentication via ESC – see example. This is what I use and works for me with
pulumi-azure-native
and
pulumi-azuread
. • Expose the env var and import the ESC environment in you Pulumi.stack.yaml – not sure if Pulumi only picks up the stack config scope or also env vars without running via
esc run pulumi up
I'm not sure about ServicePrincipalPassword as I've never used that myself.
This is the ESC config I use which configures OIDC for all my stacks.
Then in your Pulumi.<stack>.yaml simply add:
Copy code
environment:
  - <your ESC environment name>
d

dry-secretary-46556

04/03/2024, 7:24 PM
Thank you Ólafur for your helpful response, I'll give ESC a try!