Hey, there. Sorry if this isn't the right channel. I'm using Pulumi with DigitalOcean and everything was working well, but it's been about a month since I've worked on my project. When running

refresh

yesterday, I started getting 401 errors on all the DO endpoints (like querying for resources in DO). I know there's something with DO and rotating tokens, so I created a new token in DO and have set that as my local

DIGITALOCEAN_TOKEN

envar (and confirmed it with

env | grep

), as well as set it as

digitalocean:token

in esc. However, when I do a

pulumi config refresh

, it's not updating my local

Pulumi.prod.yaml

file with the updated hash, and I'm still getting the error. I ran

pulumi env open <env>

and I see the value is updated correctly and I've confirmed that if I make the same API requests (using

curl

) to DO that it's failing on with 401s and passing the new token that it does work successfully and I can see my DO resources, so it seems like the

pulumi

commands aren't pulling in the new value. I did try setting the value with

pulumi config set digitalocean:token <value> --secret

and that does update my

Pulumi.prod.yaml

file, but it's still failing with the same errors. Wondering if anyone here has any thoughts. Thank you!

I'm a little confused: Are you storing the token in ESC or your config file? ESC is a secrets management service that's a part of Pulumi Cloud, so if you're using ESC, you would define those secrets in Pulumi Cloud and then use the

environment:

key in your Pulumi IaC config file to automatically load the environment.

It's super possible I'm using it in a weird way. I'm pretty new to IAC and Pulumi, especially. I have an ESC environment where I have

values.pulumiConfig.digitalocean:token

(among other values under

pulumiConfig

which I reference using

config = pulumi.Config()

then

config.require_secret('someKey')

). I don't reference that token directly in my script, but up till now it's worked. I just tried to add a top-level

environment

key with

digitalocean:token

in it and that didn't have an effect.

If you want to import an environment into a Pulumi stack config file (e.g.

Pulumi.dev.yaml

), the syntax is:

environment:
  - esc_project/esc_environment

Ah I see what you're saying now, my bad. I do have the

environment

set correctly. I deleted the contents of

config

in that file and re-ran

pulumi config refresh -f

and it populated them again, but it seems to still be using an old version. I'll try pinning it to the latest just to see if it pulls it.

You probably won't need versioning unless you're using Pulumi at scale.

Am I correct in understanding that

pulumi config refresh -f

should pull in the latest version of the

pulumiConfig

section in the ESC environment?

No. The ESC environment is pulled down at runtime. It's not stored anywhere

Gotcha, makes sense. I just tried setting

digitalocean:token

to a random plaintext value to test that that's working and it wasn't updated in the stack when I load the UI. I guess I'm just a little confused overall, but that explains why setting it via the CLI wouldn't force it to use that value in the subsequent commands. Any thoughts around how to get the token to update in the pulumi config so it'll use the new value in refresh/up commands?

I don't remember offhand which value wins in the event of a collision.

I'd like it to live in ESC, I think. I ran

pulumi config rm digitalocean:token

, then ran

pulumi config get digitalocean:token

and it returned the new value. So I suppose this means it's pulling from ESC.

pulumi refresh

and

pulumi up --refresh

still fail with 401 errors, but I'm getting a different error when I just run

pulumi up

(kubernetes 403). So I'll try and run that down and see if it's all fixed now.

Hey @salmon-scooter-43644 I think the problem may be related to the fact that the program doesn't run during refresh, and may be using stale credentials that are stored (encrypted) in state.

That makes sense.