hey guys i am currently trying to delete a secret from azure Pulumi Community #azure

hey guys, i am currently trying to delete a secre...

bored-sunset-10957

12/18/2024, 1:49 PM

hey guys, i am currently trying to delete a secret from azure keyvault that has previously been created through pulumi. Locally everything works as expected while i am stuck on running the code on our vms. I have been upgrading azure native to 2.70.0 and we are running the VMs with "system assigned managed identities" behind the scenes to keep low on credential management. Creation of secrets works fine on vms, however deletion gives the following error:

azure-native:keyvault:Secret (SAMPLE-SECRET):

error: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).

To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'

now, the managed identity is technically a sort of service principal, however, we do not want to store specific credentials in environment variables or such -> hence the use of managed identity. running ops in CLI directly on the keyvault works without any issues, therefore the problem is not related to any azure permissions being inprecise (or at least i would assume so). Any suggestions on this by anyone? Thanks for the help

melodic-tomato-39005

12/18/2024, 1:55 PM

Hey! You don’t want CLI auth in this case. It’s merely attempted because it’s the fallback: the provider tries it if nothing else is available. Did you set

azure-native:useMsi

ARM_USE_MSI

? Oops, I’m just noticing that the docs here are not correct, “you don’t need to do anything else” is not true, you do need to set

useMsi

bored-sunset-10957

12/18/2024, 2:12 PM

hey, jeah we usually set the ARM_USE_MSI, but i noticed we did not in this explicit case, now i am unfortunately stuck on the next corner... that you also seem to be aware of 😄 https://github.com/pulumi/pulumi-azure-native/issues/2432

melodic-tomato-39005

12/18/2024, 2:13 PM

The newer issue reported in this comment?

melodic-tomato-39005

12/18/2024, 2:14 PM

ah just saw your comment

bored-sunset-10957

12/18/2024, 2:15 PM

yep, however, the id in question is pointing at the KV in our case:

error: keyvault.BaseClient#DeleteSecret: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unauthorized" Message="AKV10022: Invalid audience. Expected cfa8b339-82a2-471a-a3c9-0fc0be7a4093, found: <https://management.azure.com/>."

melodic-tomato-39005

12/18/2024, 3:41 PM

I’d appreciate it if you could file an issue with a complete picture of your setup and, ideally, a short program to reproduce the issue.

44 Views

Open in Slack

Previous Next