Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
a
ancient-megabyte-79588
05/07/2020, 10:53 PMHello.. I'm trying to create a new stack with an Azure KeyVault Secrets Provider, but the
pulumi stack init dev --secret-provider="azurekeyvault://<url here>"error: secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://<snipped>.<http://vault.azure.net/keys/pulumi//encrypt?api-version=7.0|vault.azure.net/keys/pulumi//encrypt?api-version=7.0>: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Get <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'b
broad-dog-22463
05/07/2020, 11:44 PM@billowy-army-68599 ?
b
billowy-army-68599
05/07/2020, 11:48 PMcan you try it with
export AZURE_KEYVAULT_AUTH_VIA_CLI=truehow are you authenticated to azure? it looks like you're trying to hit the internal metadata api
b
brave-caravan-6336
05/08/2020, 1:46 AMyeah he tries hitting the IMDS which is usually exposed by a VM instance and not locally available
a
ancient-megabyte-79588
05/08/2020, 4:18 PM@billowy-army-68599 When I set
$Env:AZURE_KEYVAULT_AUTH_VIA_CLI="true"error: secrets (code=PermissionDenied): keyvault.BaseClient#Encrypt: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=d56774d8-1bab-4ac8-90fe-4f2227001139;numgroups=1;iss=<https://sts.windows.net/ff778d23-bb9d-431d-9ea1-b63f31ae5244/>' does not have keys encrypt permission on key vault '<snipped>;location=westus'. For help resolving this issue, please see <https://go.microsoft.com/fwlink/?linkid=2125287>" InnerError={"code":"ForbiddenByPolicy"}az keyvault key create --vault-name depthconsulting --name test{
"attributes": {
"created": "2020-05-08T16:17:08+00:00",
"enabled": true,
"expires": null,
"notBefore": null,
"recoveryLevel": "Recoverable+Purgeable",
"updated": "2020-05-08T16:17:08+00:00"
},
"key": {
"crv": null,
"d": null,
"dp": null,
"dq": null,
"e": "AQAB",
"k": null,
"keyOps": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"kid": "https://<snipped>.<http://vault.azure.net/keys/test/12470ecff8ca47c69b5ef930d2b6e3e7|vault.azure.net/keys/test/12470ecff8ca47c69b5ef930d2b6e3e7>",
"kty": "RSA",
"n": "hLznQVEKI+tBLtzcuBM2KvLUw3HefzIja/E0K+Twj82f/MCupEo1dlTT9BT6k8N1hHFaM7x5A5M3+pKTiYHhS3AnUt4XZyUzThk1m/f11mtJi5b+yx8EU4MiO/S740hUIxJc2OOqA0CJYYcTSQHK+gY9iRa+6VWZudFBBXVN+Ah+XIIIMWaZO+yyJ41CKmSh8uKHtKlFEXcMjxR6Gx8P7cq83jJSp1GPK1Kda9GB8X3zsolBFl6IS+wNglf0rlCwdYJPtllGnVFAPbnfbVlzU6y93Lh7zSiPjrbS4D6RovmHy9czcOd0QYnLAJt/ozvk5VDNvfMl2NqaTpMSbE4ZlQ==",
"p": null,
"q": null,
"qi": null,
"t": null,
"x": null,
"y": null
},
"managed": null,
"tags": null
}b
billowy-army-68599
05/08/2020, 4:19 PMyou need to set some policies on the key to make sure you can read/use it, take a look here
https://github.com/pulumi/examples/tree/master/secrets-provider/azure#create-an-azure-keyvault-key
you can create a new key, but not use the existing one?
a
ancient-megabyte-79588
05/08/2020, 4:40 PMI followed the steps exactly as laid out in the link above.
1. I created a new vault
2. Created a new key
3. Assigned the permissions
And I get the same error.
I set the
$Env:AZURE_KEYVAULT_AUTH_VIA_CLI = "true"$Env:AZURE_AUTH_LOCATION = "<auth file location here>"b
billowy-army-68599
05/08/2020, 4:56 PMwhich error? the one related to a socket timeout, or the permission errors?
a
ancient-megabyte-79588
05/08/2020, 5:58 PMThe second permissions error.
When I remove the
$Env:AZURE_KEYVAULT_AUTH_VIA_CLI = "true"AZURE_AUTH_LOCATIONerror: secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to <https://pulumi-test.vault.azure.net/keys/pulumi-secret//encrypt?api-version=7.0>: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Get <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'//This is the CLI command I used
pulumi stack init dev --secrets-provider="<azurekeyvault://pulumi-test.vault.azure.net/keys/pulumi-secret>"Do you have any documentation on the passphrase secret provider option? I'm simply trying to use a secret stack config values across 2 stacks
One error message says that there passphrase secret provider, but several others do not allude to it's existence
b
billowy-army-68599
05/08/2020, 7:58 PMpassphrase--secrets-provider=passphraseit should prompt you for a password
i'll try and repro the azure error when I get a chance
a
ancient-megabyte-79588
05/08/2020, 10:38 PMThanks!
I'll try the passphrase to get around what I'm doing for the time being