Hi everyone I am trying to create an app registrat...
# azure
Hi everyone I am trying to create an app registration in azure with the
azuread provider
. My stack is able to run without issues when authenticating via
az login
. However, when I try to authenticate via service principal I get the following error:
* A Subscription ID must be configured when authenticating as a Service Principal using a Client Secret.
. I added the subscription ID to my pulumi config like so
azuread:subscriptionId: aaaabbbb-abba-aaaa-bbbb-aaa111bbbbb
. I then get the following error:
could not validate provider configuration: 1 error occurred: * Invalid or unknown key
. It seems like the azuread provider is missing the
key to properly authenticate via service principal. Some reference docs, any help would be appreciated! https://www.pulumi.com/registry/packages/azuread/installation-configuration/#authenticate-using-a-service-principal https://www.pulumi.com/registry/packages/azuread/api-docs/provider/
Azure Auth is a headache and a half
I'm not in an identical boat, as we use MSI / an attached managed identity on the build VM. We're reading in the
from environment variables, and
from an argument
Ah, my apologies - I'm using the azure-native provider, not azuread. You are right in that the azruead provider doesn't take that option - that's weird - do you specify a
? Theoretically that should be all it needs to find what to auth against
Thanks for your help, I have
, and
configured but it still complains about a missing subscription ID.
Interesting... Does any of the following work? • Setting
env var • Or
az login --allow-no-subscriptions --tenant "<your tenant id>"
If not maybe you could use ServicePrincipalPassword - which btw is not the same as ApplicationPassword (client credentials). Haven't tested the SP PWD myself though and I believe this password is not available in the portal.
Setting the
env var works, however I am trying to avoid this because it makes deployments more difficult for us and each developer would have to set this variable in this local stack to run Pulumi. Is there a way to programmatically set the env vars when I run
pulumi up -y
so that no additional shell commands needed to be run for the stack to provision? How would I authenticate the azuread provider using ServicePrincipalPassword? I cant find documentation on this.
I feel your pain... You could potentially use Pulumi ESC if you're comfortable with implementing that, then use environemnt in your pulumi and either: • Set up OIDC authentication via ESC – see example. This is what I use and works for me with
. • Expose the env var and import the ESC environment in you Pulumi.stack.yaml – not sure if Pulumi only picks up the stack config scope or also env vars without running via
esc run pulumi up
I'm not sure about ServicePrincipalPassword as I've never used that myself.
This is the ESC config I use which configures OIDC for all my stacks.
Then in your Pulumi.<stack>.yaml simply add:
Copy code
  - <your ESC environment name>
Thank you Ólafur for your helpful response, I'll give ESC a try!