https://pulumi.com logo
Join Slack
Powered by
Hello.. I'm trying to create a new stack with an A...
# azure
a
Hello.. I'm trying to create a new stack with an Azure KeyVault Secrets Provider, but the 
pulumi stack init dev --secret-provider="azurekeyvault://<url here>"
is blowing up with this message:
Copy code
error: secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://<snipped>.<http://vault.azure.net/keys/pulumi//encrypt?api-version=7.0|vault.azure.net/keys/pulumi//encrypt?api-version=7.0>: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Get <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'
Any thoughts?
b
@billowy-army-68599 ?
b
can you try it with 
export AZURE_KEYVAULT_AUTH_VIA_CLI=true
set?
how are you authenticated to azure? it looks like you're trying to hit the internal metadata api
b
yeah he tries hitting the IMDS which is usually exposed by a VM instance and not locally available
a
@billowy-army-68599 When I set 
$Env:AZURE_KEYVAULT_AUTH_VIA_CLI="true"
in my powershell instance, I get the following error
Copy code
error: secrets (code=PermissionDenied): keyvault.BaseClient#Encrypt: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=d56774d8-1bab-4ac8-90fe-4f2227001139;numgroups=1;iss=<https://sts.windows.net/ff778d23-bb9d-431d-9ea1-b63f31ae5244/>' does not have keys encrypt permission on key vault '<snipped>;location=westus'. For help resolving this issue, please see <https://go.microsoft.com/fwlink/?linkid=2125287>" InnerError={"code":"ForbiddenByPolicy"}
but when I use the azure-cli to create a key
Copy code
az keyvault key create --vault-name depthconsulting --name test
I get this response
Copy code
{
  "attributes": {
    "created": "2020-05-08T16:17:08+00:00",
    "enabled": true,
    "expires": null,
    "notBefore": null,
    "recoveryLevel": "Recoverable+Purgeable",
    "updated": "2020-05-08T16:17:08+00:00"
  },
  "key": {
    "crv": null,
    "d": null,
    "dp": null,
    "dq": null,
    "e": "AQAB",
    "k": null,
    "keyOps": [
      "encrypt",
      "decrypt",
      "sign",
      "verify",
      "wrapKey",
      "unwrapKey"
    ],
    "kid": "https://<snipped>.<http://vault.azure.net/keys/test/12470ecff8ca47c69b5ef930d2b6e3e7|vault.azure.net/keys/test/12470ecff8ca47c69b5ef930d2b6e3e7>",
    "kty": "RSA",
    "n": "hLznQVEKI+tBLtzcuBM2KvLUw3HefzIja/E0K+Twj82f/MCupEo1dlTT9BT6k8N1hHFaM7x5A5M3+pKTiYHhS3AnUt4XZyUzThk1m/f11mtJi5b+yx8EU4MiO/S740hUIxJc2OOqA0CJYYcTSQHK+gY9iRa+6VWZudFBBXVN+Ah+XIIIMWaZO+yyJ41CKmSh8uKHtKlFEXcMjxR6Gx8P7cq83jJSp1GPK1Kda9GB8X3zsolBFl6IS+wNglf0rlCwdYJPtllGnVFAPbnfbVlzU6y93Lh7zSiPjrbS4D6RovmHy9czcOd0QYnLAJt/ozvk5VDNvfMl2NqaTpMSbE4ZlQ==",
    "p": null,
    "q": null,
    "qi": null,
    "t": null,
    "x": null,
    "y": null
  },
  "managed": null,
  "tags": null
}
b
you need to set some policies on the key to make sure you can read/use it, take a look here https://github.com/pulumi/examples/tree/master/secrets-provider/azure#create-an-azure-keyvault-key
you can create a new key, but not use the existing one?
a
I followed the steps exactly as laid out in the link above. 1. I created a new vault 2. Created a new key 3. Assigned the permissions And I get the same error. I set the 
$Env:AZURE_KEYVAULT_AUTH_VIA_CLI = "true"
Env Var I've also generated a file-based credentials and tried setting 
$Env:AZURE_AUTH_LOCATION = "<auth file location here>"
b
which error? the one related to a socket timeout, or the permission errors?
a
The second permissions error. When I remove the 
$Env:AZURE_KEYVAULT_AUTH_VIA_CLI = "true"
env var, it tries a different mechanism and eventually times out with the original error at the beginning of the thread even with the 
AZURE_AUTH_LOCATION
env var set.
Copy code
error: secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to <https://pulumi-test.vault.azure.net/keys/pulumi-secret//encrypt?api-version=7.0>: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Get <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'
There are two 
//
in the url for this second error
This is the CLI command I used 
pulumi stack init dev --secrets-provider="<azurekeyvault://pulumi-test.vault.azure.net/keys/pulumi-secret>"
Do you have any documentation on the passphrase secret provider option? I'm simply trying to use a secret stack config values across 2 stacks
One error message says that there passphrase secret provider, but several others do not allude to it's existence
b
passphrase
isn't set like that, it's set like so 
--secrets-provider=passphrase
it should prompt you for a password
i'll try and repro the azure error when I get a chance
a
Thanks!
I'll try the passphrase to get around what I'm doing for the time being
13 Views
Open in Slack
PreviousNext
Powered by