wet-noon-14291
10/15/2020, 10:54 AMaz cli
using service principal X
since that is what will be used on the CI server to access blob storage and key vault for secrets.
* In my Pulumi.Dev.yaml
I have service principal Y
defined with pulumi config set azure:clientId
Now when I try to run pulumi up
I would expect X
to be used to store state in blob storage as well as dealing with secrets, but service principal Y
to be used when creating the resources on Azure. However, pulumi up
fails with the message that X
doesn't have access to the resource group I'm trying to import. X
shouldn't have access, so that is ok, but why is X
used when I run pulumi up
and not Y
since that is what I have defined in my stack config file?tall-librarian-49374
10/15/2020, 11:59 AMwet-noon-14291
10/15/2020, 1:25 PM--verbose 4/5/6/7
but not that much info. Like pulumi up --verbose 5 -y -C <path> -s Dev
tall-librarian-49374
10/15/2020, 1:35 PMpulumi up -v=9 --logtostderr --yes &> a.txt
Testing if Service Principal / Client Certificate is applicable for Authentication..
therewet-noon-14291
10/15/2020, 1:37 PM--logtostderr
I1015 15:39:26.015322 16120 eventsink.go:62] eventSink::Debug(<{%reset%}>2020/10/15 15:39:26 Testing if Managed Service Identity is applicable for Authentication..<{%reset%}>)
I1015 15:39:26.018086 16120 eventsink.go:59] 2020/10/15 15:39:26 Testing if Obtaining a token from the Azure CLI is applicable for Authentication..
I1015 15:39:26.018520 16120 eventsink.go:62] eventSink::Debug(<{%reset%}>2020/10/15 15:39:26 Testing if Obtaining a token from the Azure CLI is applicable for Authentication..<{%reset%}>)
I1015 15:39:26.019239 16120 eventsink.go:59] 2020/10/15 15:39:26 Using Obtaining a token from the Azure CLI for Authentication
I1015 15:39:26.019576 16120 eventsink.go:62] eventSink::Debug(<{%reset%}>2020/10/15 15:39:26 Using Obtaining a token from the Azure CLI for Authentication<{%reset%}>)
If I read this correctly it says that the CLI credentials are used.tall-librarian-49374
10/15/2020, 1:43 PMTesting if Service Principal
?wet-noon-14291
10/15/2020, 1:45 PMI1015 15:39:26.003867 16120 eventsink.go:59] 2020/10/15 15:39:26 Testing if Service Principal / Client Certificate is applicable for Authentication..
I1015 15:39:26.006003 16120 eventsink.go:62] eventSink::Debug(<{%reset%}>2020/10/15 15:39:26 Testing if Service Principal / Client Certificate is applicable for Authentication..<{%reset%}>)
I1015 15:39:26.005451 16120 step_executor.go:321] StepExecutor worker(-2): worker waiting for incoming chains
I1015 15:39:26.005478 16120 step_executor.go:321] StepExecutor worker(1): launching oneshot worker
I1015 15:39:26.007344 16120 step_executor.go:321] StepExecutor worker(1): applying step create on urn:pulumi:Dev::Elkjop.FinancialServices.Infrastructure::pulumi:providers:azure-nextgen::default_0_2_3_alpha_1602700498_177a671e (preview true)
I1015 15:39:26.007858 16120 step_executor.go:321] StepExecutor worker(1): step create on urn:pulumi:Dev::Elkjop.FinancialServices.Infrastructure::pulumi:providers:azure-nextgen::default_0_2_3_alpha_1602700498_177a671e retired
I1015 15:39:26.006941 16120 eventsink.go:59] 2020/10/15 15:39:26 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
Looks like it falls through to the next methodPulumi.Dev.yaml
isn't use...secretsprovider: azurekeyvault://<secrets>
encryptedkey: <key>
config:
azure:clientId: <clientid>
azure:clientSecret:
secure: <secret>
azure:location: westeurope
azure:subscriptionId: <sub>
azure:tenantId: <tenant>
tall-librarian-49374
10/15/2020, 7:14 PMDev
with the capital D? Wild guess - but could it be something about that?wet-noon-14291
10/15/2020, 7:15 PMD
tall-librarian-49374
10/15/2020, 7:25 PMwet-noon-14291
10/15/2020, 7:31 PMazure:location
config wasn't read either since I had to provide a location in code... but might be mistaking on that one.tall-librarian-49374
10/16/2020, 7:19 AMazure-nextgen
thenazure-nextgen:clientId
wet-noon-14291
10/16/2020, 8:17 AMtall-librarian-49374
10/16/2020, 1:54 PMbroad-dog-22463
10/16/2020, 1:56 PMwet-noon-14291
10/16/2020, 2:02 PMpulumi up
on on Azure devops where I have secrets in keyvault and using blob storage. I've read through the code and I don't understand why I don't go into this if
https://github.com/pulumi/pulumi/blob/eaac9280f5484f94213dbf54c9fd6f009d87db12/pkg/cmd/pulumi/crypto.go#L56
I definitely have a secretsprovider
property in my yaml.
(the "official" tasks is not the answer for me because of reasons... but this shouldn't be to complicated to get working)broad-dog-22463
10/16/2020, 2:03 PMwet-noon-14291
10/16/2020, 2:04 PMerror: getting secrets manager: passphrase must be set with PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE environment variables
broad-dog-22463
10/16/2020, 2:09 PMwet-noon-14291
10/16/2020, 2:15 PM#!/bin/bash -e
if [ $# -eq 0 ]; then
echo "No arguments provided. Arguments allowed: Dev, Test, Prod"
exit 1
fi
stacks=("$@")
script_folder=$(dirname $0)
get_creds="$script_folder/get-ops-creds.sh"
for i in "${stacks[@]}"
do
stack=$(echo "$i" | tr '[:upper:]' '[:lower:]')
echo "Configuring $stack"
cmd="$get_creds $i"
credentials=$(eval $cmd)
client_id=$(echo $credentials | jq -r .serviceprincipalid)
tenant_id=$(echo $credentials | jq -r .tenantid)
client_secret=$(echo $credentials | jq -r .serviceprincipalkey)
subscription_id=$(echo $credentials | jq -r .subscriptionid)
pulumi stack init --secrets-provider="<azurekeyvault://elkds-pulumikv.vault.azure.net/keys/pulumisecrets>" $stack
pulumi config set azure-nextgen:clientId $client_id -s $stack
pulumi config set azure-nextgen:clientSecret $client_secret --secret -s $stack
pulumi config set azure-nextgen:tenantId $tenant_id -s $stack
pulumi config set azure-nextgen:subscriptionId $subscription_id -s $stack
pulumi config set azure-nextgen:location westeurope -s $stack
pulumi config set azure:clientId $client_id -s $stack
pulumi config set azure:clientSecret $client_secret --secret -s $stack
pulumi config set azure:tenantId $tenant_id -s $stack
pulumi config set azure:subscriptionId $subscription_id -s $stack
pulumi config set azure:location westeurope -s $stack
pulumi plugin install resource azure-nextgen v0.2.3-alpha.1602700498+177a671e
done
The get-creds
script reads credentials from a keyvault.
`Pulumi.dev.yaml`:
secretsprovider: <azurekeyvault://keyvaultpath>
encryptedkey: <secret>
config:
azure-nextgen:clientId: <clientid>
azure-nextgen:clientSecret:
secure: <secret>
azure-nextgen:location: westeurope
azure-nextgen:subscriptionId: <subid>
azure-nextgen:tenantId: <tenantid>
azure:clientId: <clientid>
azure:clientSecret:
secure: <secret>
azure:location: westeurope
azure:subscriptionId: <subid>
azure:tenantId: <tenantid>
broad-dog-22463
10/16/2020, 2:17 PMwet-noon-14291
10/16/2020, 2:18 PMbroad-dog-22463
10/16/2020, 2:23 PMwet-noon-14291
10/16/2020, 2:25 PMbroad-dog-22463
10/16/2020, 6:39 PMwet-noon-14291
10/16/2020, 6:45 PMgit config core.ignorecase false
)