Hi! I am trying to setup Pulumi with Azure backend...
# getting-started
s
Hi! I am trying to setup Pulumi with Azure backend (Blob Storage) using az login from this documentation: https://www.pulumi.com/docs/concepts/state/#azure-blob-storage It is mentioned that "The Azure account must have the Storage Blob Data Contributor role or an equivalent role with permissions to read, write, and delete blobs." I have a contributor role on my account, and can manage blob storage and its containers, but I am getting: "RESPONSE 403: 403 This request is not authorized to perform this operation using this permission." Two questions: • Is Pulumi looking EXACTLY for this role to be assigned to the logged-in account? • Is it possible to setup this in a way, that only the READER role is required, so I could use Preview but not Up? (local machine development)
Contributor Role of my organization
Such permissions I inherit from it
I would assume that they should be sufficent
I checked on other account, where i gave myself Owner of storage account - and it worked
a
The Contributor role does allow you to manage Azure resources, such as creating a blob container which is an Azure Resource. But access to data within a blob container is granted via the "data plane". Neither Contributor nor Owner role give you that data plane access. See the empty list of "DataActions" permissions for those role definitions. For this you need one of the
Storage Blob Data [Contributor|Owner|Reader]
roles. There are two methods of authorizing access to storage account data, via Access Keys and then Azure RBAC. Some clients, like the Storage Account Browser in the Azure Portal will allow you to access data within a storage account by retrieving the storage account access key, that is if the access key option is Enabled. I personally disable SAS access by default on my storage accounts and use the RBAC data plane roles – unless there's a specific workload that really needs SAS access.
s
@adventurous-butcher-54166 Please take a look at my screenshot above. What permissions am I lacking?
Ok, I think I get this. What about my second question. It is possible to limit this to READ to be able perform PREVIEW but not UP?
a
1. For write access to blobs within a blob container, you are lacking the permissions provided by the
Storage Blob Data Contributor
role which grants you ability to create, read & delete 2. For read-only access to blobs you would use the
Storage Blob Data Reader
role.
s
1. setting Storage Blob Data Contributor works. Thank you. However 2. I tried with Storage Blob Data Reader, and got the same error: error: problem logging in:
Copy code
read ".pulumi/meta.yaml": blob (key ".pulumi/meta.yaml") (code=Unknown): GET ..." 
RESPONSE 403: 403 This request is not authorized to perform this operation using this permission.
ERROR CODE: AuthorizationPermissionMismatch
when calling "pulumi login"
What I would like to achieve is that my developers shouldn't be able to execute UP commands from their local machines but be able to work with Pulumi & preview. Especially in Prod environment. How can I achieve that?
To simply put: How can I protect PULUMI STATE against state modification from local, developer machines?
I answered this by myself. Storage Blob Data Reader works. It was matter of log out and logi in again in AZ CLI. Thanks for your assistance šŸ™‚
185 Views