https://pulumi.com logo
Join Slack
Powered by
Hello everyone. I am using Pulumi's Automation API...
# azure
c
Hello everyone. I am using Pulumi's Automation API in Python, with Azure as backend to store the State. I would like to know if it is possible to pass an Azure TokenCredential obtained with 
InteractiveBrowserCredential()
to Pulumi's stack when setting it up ? I'm trying to use a token that was obtained in my Python script (before setting up the stack) and not via 
az login
. If I do an 
az login
before executing my script, I don't need any environment variables (for instance Tenant id, Client id, access key to my Storage, ..), as Pulumi internally uses in the end 
DefaultAzureCredential()
and manage to retrieve my token upon setting up the stack. But I'm trying to implement the "az login" inside my script (with 
credential = InteractiveBrowserCredential()
) before setting up the stack, and it seems impossible to pass this 
credential
to the stack. As expected pulumi is failing with the following azure error message:
Copy code
DefaultAzureCredential: failed to acquire a token.
Attempted credentials:
        EnvironmentCredential: missing environment variable AZURE_TENANT_ID
        WorkloadIdentityCredential: no client ID specified. Check pod configuration or set ClientID in the options
        ManagedIdentityCredential: managed identity timed out. See <https://aka.ms/azsdk/go/identity/troubleshoot#dac> for more information
        AzureCLICredential: ERROR: Please run 'az login' to setup account.
Any ideas?
I find it very sad that you cannot pass to your Pulumi stack an Azure credential obtainned programmatically either for A) backing the State or B) for running the stack. I have already obtained programmatically Azure credentials via my own means for my user account inside my Python script, and I can do everything I want on Azure with this. Why can't I pass this to setup the State for example ? I am required to pass environment variables such as 
AZURE_STORAGE_KEY
, for what reason ? 😞 My user account can connect to my Azure Storage with Entra ID, I should be able to pass an Azure credential/token directly to Pulumi, so that it uses that when connecting... Same goes when creating the stack and the resources on Azure with stack.up(), why can't I pass my (user) authentication directly to Pulumi ? Instead DefaultAzureCredential() is used internally and awaits for either EnvironmentCredential, WorkloadIdentityCredential, ManagedIdentityCredential or AzureCLICredential... Ok, but should also be able to get as input an Azure credential obtained programmatically via my own means. --- I tried to recode a custom azure provider that wrap's up the original azure-native so that I can implement authentication on my own. BUT it seems impossible as authentication is deep embedded into azure-native. Even if my authentication is called first, it laters calls again DefaultAzureCredential() no matter what (and that second call can't find my cached token). We definitely need a PR for this, in my opinion. Any thoughts ?
e
Hey, did you find a solution for this? I am also trying to set 
AZURE_STORAGE_KEY
programmatically, either in the configuration or through 
pulumi.runtime
, but every configuration value gets ignored. It works if I set the environment variable beforehand, but not within the program. I am trying to set up the storage account for the state in a separate stack and use it in another stack. I expected more flexibility in a new "language" like Pulumi.
8 Views
Open in Slack
PreviousNext
Powered by