https://pulumi.com logo
Join Slack
Powered by
Hi everyone I am trying to create an app registrat...
# azure
d
Hi everyone I am trying to create an app registration in azure with the 
azuread provider
. My stack is able to run without issues when authenticating via 
az login
. However, when I try to authenticate via service principal I get the following error: 
* A Subscription ID must be configured when authenticating as a Service Principal using a Client Secret.
. I added the subscription ID to my pulumi config like so 
azuread:subscriptionId: aaaabbbb-abba-aaaa-bbbb-aaa111bbbbb
. I then get the following error: 
could not validate provider configuration: 1 error occurred: * Invalid or unknown key
. It seems like the azuread provider is missing the 
subscriptionId
key to properly authenticate via service principal. Some reference docs, any help would be appreciated! https://www.pulumi.com/registry/packages/azuread/installation-configuration/#authenticate-using-a-service-principal https://www.pulumi.com/registry/packages/azuread/api-docs/provider/
f
Azure Auth is a headache and a half
I'm not in an identical boat, as we use MSI / an attached managed identity on the build VM. We're reading in the 
tenantId
and 
clientId
from environment variables, and 
subscriptionId
from an argument
Ah, my apologies - I'm using the azure-native provider, not azuread. You are right in that the azruead provider doesn't take that option - that's weird - do you specify a 
tenantId
? Theoretically that should be all it needs to find what to auth against
d
Thanks for your help, I have 
azuread:tenantId
, 
azuread:clientId
, and 
azuread:clientSecret
configured but it still complains about a missing subscription ID.
a
Interesting... Does any of the following work? • Setting 
ARM_SUBSCRIPTION_ID
env var • Or 
az login --allow-no-subscriptions --tenant "<your tenant id>"
If not maybe you could use ServicePrincipalPassword - which btw is not the same as ApplicationPassword (client credentials). Haven't tested the SP PWD myself though and I believe this password is not available in the portal.
d
Setting the 
ARM_SUBSCRIPTION_ID
env var works, however I am trying to avoid this because it makes deployments more difficult for us and each developer would have to set this variable in this local stack to run Pulumi. Is there a way to programmatically set the env vars when I run 
pulumi up -y
so that no additional shell commands needed to be run for the stack to provision? How would I authenticate the azuread provider using ServicePrincipalPassword? I cant find documentation on this.
a
I feel your pain... You could potentially use Pulumi ESC if you're comfortable with implementing that, then use environemnt in your pulumi and either: • Set up OIDC authentication via ESC – see example. This is what I use and works for me with 
pulumi-azure-native
and 
pulumi-azuread
. • Expose the env var and import the ESC environment in you Pulumi.stack.yaml – not sure if Pulumi only picks up the stack config scope or also env vars without running via 
esc run pulumi up
I'm not sure about ServicePrincipalPassword as I've never used that myself.
This is the ESC config I use which configures OIDC for all my stacks.
Azure OIDC.yaml
Then in your Pulumi.<stack>.yaml simply add:
Copy code
environment:
  - <your ESC environment name>
d
Thank you Ólafur for your helpful response, I'll give ESC a try!
2 Views
Open in Slack
PreviousNext
Powered by