https://pulumi.com logo
#azure
Title
# azure
n

nice-application-79035

04/02/2024, 6:32 AM
Hello everyone, I am maintaining pulumi stack state in the self managed backend. I made some modification in the Azure ADO pipeline pulumi tasks to use
--secrets-provider
but the pulumi task always show the following error
error: getting stack configuration: get stack secrets manager: passphrase must be set with PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE environment variables
. Below is my pulumi task in the ADO pipeline. Could you please tell me why do we need to set ``PULUMI_CONFIG_PASSPHRASE` in the environment variable when I am trying to use Azure key vault as the secret provider?
Copy code
task: Pulumi@1
  displayName: 'Pulumi Up (Namespace: ${{ parameters.namespace }})'
  retryCountOnTaskFailure: 3
  inputs:
    cwd: '$(Build.SourcesDirectory)/cicd/iac/'
    command: 'up'
    args: '--yes --config-file=$(CONFIG_FILE_PATH) --secrets-provider=$(KEY_VAULT_PULUMI_KEY)'
    loginArgs: '--cloud-url <azblob://pulumistacks?storage_account=$(STORAGE_ACCOUNT_NAME)>'
    stack: 'organization/test/virtual-${{ parameters.namespace }}'
    azureSubscription: $(PULUMI_STACK_SUBSCRIPTION)
    createStack: true
  env:
    AZURE_STORAGE_ACCOUNT: $(STORAGE_ACCOUNT_NAME)
    AZURE_STORAGE_KEY: $(STORAGE_ACCOUNT_KEY)
    AZURE_KEYVAULT_AUTH_VIA_CLI: "true"
f

fast-sandwich-30809

04/02/2024, 1:56 PM
Hey! I am also using Azure Devops and an azure storage account backend! I can't say I've setup the keyvault secrets provider yet though, so I'm not sure how much help I can be
Statefiles are stored as files in the storage account, and they will contain encrypted secrets (like connection strings for things, function app master keys, etc) - those secrets are encrypted with the "pulumi config passphrase". It sounds like you're trying to get that / set that from the keyvault?
The "secrets" functionality is more for api keys that need to be passed to other things, that you don't want to store as code - I'm not sure if you can get the pulumi config passphrase from the keyvault. I might have to do some digging
n

nice-application-79035

04/02/2024, 5:14 PM
Hi @fast-sandwich-30809, thank you for your reply. I understood that you can use either passphrase or azure key vault as a secret-provider for the pulumi stack. I couldn't find an example where it has been done or used in the pipeline. I would appreciate any information you might have.
2 Views