This message was deleted.
# azure
s
This message was deleted.
t
@clever-sunset-76585 might be able to help
p
Interestingly, it works if I manually map in the
ARM_*
variables, like so:
Copy code
- task: Pulumi@1
  displayName: Create/update Azure resources
  inputs:
    azureSubscription: IDeliverable Azure Subscription
    command: up
    args: --skip-preview --yes
    cwd: infra/
    stack: dev
  env:
    PULUMI_ACCESS_TOKEN: $(PulumiAccessToken)
    # The below should not be necessary since this task is using a service connection, but it does not seem able to correctly get the client secret from the connection, so for now this is the workaround.
    ARM_CLIENT_SECRET: $(AzureClientSecret)
    ARM_SUBSCRIPTION_ID: $(AzureSubscriptionId)
    ARM_CLIENT_ID: $(AzureClientId)
    ARM_TENANT_ID: $(AzureTenantId)
- script: |
    echo "##vso[task.setvariable variable=appName;isOutput=true]$(pulumi stack output appName)"
  displayName: Set stack outputs as variables
  name: stackVariables
But while a viable workaround, obviously this is not ideal since it kind of negates the point of the service connection and forces us to store these credentials as variables.
c
Hi Daniel, I have a couple of questions for you. - How did you create your service connection? Sometimes this error could be because of an expired client secret tied to the service principal of your service connection. - Does this service connection work with other tasks? Lastly, it is possible that there is a subtle difference in how your service connection was created, that the task isn't able to get credentials from it. (Though I doubt that is the case.)
p
@clever-sunset-76585 I now understand what was going on. It turns out the “edit service connection” dialog in DevOps has a major bug.
Manually updating the client secret has no effect! The new client secret is not persisted on the service connection, instead it’s saved with an empty client secret value.
You literally have to delete and create a new service connection in order to set a client secret.
As a result, I believe the service connection, even though it was validated, was saved without a client secret.
I should really report that to Microsoft...
c
Ohh that is a bad problem indeed. Glad you found it, though. Also I am curious. Could you not let the service connection create a new service principal automatically in your Azure Subscription?
p
@clever-sunset-76585 Yes, that’s what happens when you create a new service connection or update an existing with the “simplified” dialog.
Then it creates the client secret for you.
But then it creates a nameless one in Azure.
And we need to maintain several different client secrets for the same service principal, for different contexts, different expiration etc, so we need to name them better to tell them apart.
That’s the kind of scenario that the “full” dialog is supposed to accommodate.
c
And we need to maintain several different client secrets for the same service principal, for different contexts, different expiration etc, so we need to name them better to tell them apart.
Yep. I see what you mean.