This message was deleted.

@billowy-army-68599 ?

can you try it with

export AZURE_KEYVAULT_AUTH_VIA_CLI=true

set?

yeah he tries hitting the IMDS which is usually exposed by a VM instance and not locally available

@billowy-army-68599 When I set

$Env:AZURE_KEYVAULT_AUTH_VIA_CLI="true"

in my powershell instance, I get the following error

error: secrets (code=PermissionDenied): keyvault.BaseClient#Encrypt: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=d56774d8-1bab-4ac8-90fe-4f2227001139;numgroups=1;iss=<https://sts.windows.net/ff778d23-bb9d-431d-9ea1-b63f31ae5244/>' does not have keys encrypt permission on key vault '<snipped>;location=westus'. For help resolving this issue, please see <https://go.microsoft.com/fwlink/?linkid=2125287>" InnerError={"code":"ForbiddenByPolicy"}

but when I use the azure-cli to create a key

az keyvault key create --vault-name depthconsulting --name test

I get this response

{
  "attributes": {
    "created": "2020-05-08T16:17:08+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2020-05-08T16:17:08+00:00"
  },
  "key": {
    "crv": null,
    "d": null,
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "keyOps": [
      "encrypt",
      "decrypt",
      "sign",
      "verify",
      "wrapKey",
      "unwrapKey"
    ],
    "kid": "https://<snipped>.<http://vault.azure.net/keys/test/12470ecff8ca47c69b5ef930d2b6e3e7|vault.azure.net/keys/test/12470ecff8ca47c69b5ef930d2b6e3e7>",
    "kty": "RSA",
    "n": "hLznQVEKI+tBLtzcuBM2KvLUw3HefzIja/E0K+Twj82f/MCupEo1dlTT9BT6k8N1hHFaM7x5A5M3+pKTiYHhS3AnUt4XZyUzThk1m/f11mtJi5b+yx8EU4MiO/S740hUIxJc2OOqA0CJYYcTSQHK+gY9iRa+6VWZudFBBXVN+Ah+XIIIMWaZO+yyJ41CKmSh8uKHtKlFEXcMjxR6Gx8P7cq83jJSp1GPK1Kda9GB8X3zsolBFl6IS+wNglf0rlCwdYJPtllGnVFAPbnfbVlzU6y93Lh7zSiPjrbS4D6RovmHy9czcOd0QYnLAJt/ozvk5VDNvfMl2NqaTpMSbE4ZlQ==",
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "tags": null
}

you need to set some policies on the key to make sure you can read/use it, take a look here https://github.com/pulumi/examples/tree/master/secrets-provider/azure#create-an-azure-keyvault-key

I followed the steps exactly as laid out in the link above. 1. I created a new vault 2. Created a new key 3. Assigned the permissions And I get the same error. I set the

$Env:AZURE_KEYVAULT_AUTH_VIA_CLI = "true"

Env Var I've also generated a file-based credentials and tried setting

$Env:AZURE_AUTH_LOCATION = "<auth file location here>"

which error? the one related to a socket timeout, or the permission errors?

The second permissions error. When I remove the

$Env:AZURE_KEYVAULT_AUTH_VIA_CLI = "true"

env var, it tries a different mechanism and eventually times out with the original error at the beginning of the thread even with the

AZURE_AUTH_LOCATION

env var set.

error: secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to <https://pulumi-test.vault.azure.net/keys/pulumi-secret//encrypt?api-version=7.0>: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Get <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'

There are two

//

in the url for this second error

passphrase

isn't set like that, it's set like so

--secrets-provider=passphrase

Thanks!