ancient-megabyte-79588
05/07/2020, 10:53 PMpulumi stack init dev --secret-provider="azurekeyvault://<url here>"
is blowing up with this message:
error: secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://<snipped>.<http://vault.azure.net/keys/pulumi//encrypt?api-version=7.0|vault.azure.net/keys/pulumi//encrypt?api-version=7.0>: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Get <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'
Any thoughts?broad-dog-22463
05/07/2020, 11:44 PMbillowy-army-68599
05/07/2020, 11:48 PMexport AZURE_KEYVAULT_AUTH_VIA_CLI=true
set?brave-caravan-6336
05/08/2020, 1:46 AMancient-megabyte-79588
05/08/2020, 4:18 PM$Env:AZURE_KEYVAULT_AUTH_VIA_CLI="true"
in my powershell instance, I get the following error
error: secrets (code=PermissionDenied): keyvault.BaseClient#Encrypt: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=d56774d8-1bab-4ac8-90fe-4f2227001139;numgroups=1;iss=<https://sts.windows.net/ff778d23-bb9d-431d-9ea1-b63f31ae5244/>' does not have keys encrypt permission on key vault '<snipped>;location=westus'. For help resolving this issue, please see <https://go.microsoft.com/fwlink/?linkid=2125287>" InnerError={"code":"ForbiddenByPolicy"}
but when I use the azure-cli to create a key
az keyvault key create --vault-name depthconsulting --name test
I get this response
{
"attributes": {
"created": "2020-05-08T16:17:08+00:00",
"enabled": true,
"expires": null,
"notBefore": null,
"recoveryLevel": "Recoverable+Purgeable",
"updated": "2020-05-08T16:17:08+00:00"
},
"key": {
"crv": null,
"d": null,
"dp": null,
"dq": null,
"e": "AQAB",
"k": null,
"keyOps": [
"encrypt",
"decrypt",
"sign",
"verify",
"wrapKey",
"unwrapKey"
],
"kid": "https://<snipped>.<http://vault.azure.net/keys/test/12470ecff8ca47c69b5ef930d2b6e3e7|vault.azure.net/keys/test/12470ecff8ca47c69b5ef930d2b6e3e7>",
"kty": "RSA",
"n": "hLznQVEKI+tBLtzcuBM2KvLUw3HefzIja/E0K+Twj82f/MCupEo1dlTT9BT6k8N1hHFaM7x5A5M3+pKTiYHhS3AnUt4XZyUzThk1m/f11mtJi5b+yx8EU4MiO/S740hUIxJc2OOqA0CJYYcTSQHK+gY9iRa+6VWZudFBBXVN+Ah+XIIIMWaZO+yyJ41CKmSh8uKHtKlFEXcMjxR6Gx8P7cq83jJSp1GPK1Kda9GB8X3zsolBFl6IS+wNglf0rlCwdYJPtllGnVFAPbnfbVlzU6y93Lh7zSiPjrbS4D6RovmHy9czcOd0QYnLAJt/ozvk5VDNvfMl2NqaTpMSbE4ZlQ==",
"p": null,
"q": null,
"qi": null,
"t": null,
"x": null,
"y": null
},
"managed": null,
"tags": null
}
billowy-army-68599
05/08/2020, 4:19 PMancient-megabyte-79588
05/08/2020, 4:40 PM$Env:AZURE_KEYVAULT_AUTH_VIA_CLI = "true"
Env Var
I've also generated a file-based credentials and tried setting
$Env:AZURE_AUTH_LOCATION = "<auth file location here>"
billowy-army-68599
05/08/2020, 4:56 PMancient-megabyte-79588
05/08/2020, 5:58 PM$Env:AZURE_KEYVAULT_AUTH_VIA_CLI = "true"
env var, it tries a different mechanism and eventually times out with the original error at the beginning of the thread even with the AZURE_AUTH_LOCATION
env var set.
error: secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to <https://pulumi-test.vault.azure.net/keys/pulumi-secret//encrypt?api-version=7.0>: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Get <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'
There are two //
in the url for this second errorpulumi stack init dev --secrets-provider="<azurekeyvault://pulumi-test.vault.azure.net/keys/pulumi-secret>"
billowy-army-68599
05/08/2020, 7:58 PMpassphrase
isn't set like that, it's set like so --secrets-provider=passphrase
ancient-megabyte-79588
05/08/2020, 10:38 PM