I’m trying to create ACR tokens (preview feature) and generate them passwords I’m getting this error:

pulumi:pulumi:Stack wiz-diskanalyzer-dev_aws_7b976757-b010-44f5-be1b-aa4153b86dbe_global_bootstrap running
 ~  pulumi:providers:azure-native wiz-azure updating [diff: ~clientSecret]
 ~  pulumi:providers:azure-native wiz-azure updated
 +  azure-native:containerregistry/v20201101preview:Token acr-token creating
 +  azure-native:containerregistry/v20201101preview:Token acr-token creating error: Code="PasswordCannotBeAdded" Message="New passwords can be added only through 'generateCredentials'. For more information on repository permissions, please visit <https://aka.ms/acr/repo-permissions>."
 +  azure-native:containerregistry/v20201101preview:Token acr-token **creating failed** error: Code="PasswordCannotBeAdded" Message="New passwords can be added only through 'generateCredentials'. For more information on repository permissions, please visit <https://aka.ms/acr/repo-permissions>."
    pulumi:pulumi:Stack wiz-diskanalyzer-dev_aws_7b976757-b010-44f5-be1b-aa4153b86dbe_global_bootstrap running error: update failed
    pulumi:pulumi:Stack wiz-diskanalyzer-dev_aws_7b976757-b010-44f5-be1b-aa4153b86dbe_global_bootstrap **failed** 1 error

Diagnostics:
  pulumi:pulumi:Stack (wiz-diskanalyzer-dev_aws_7b976757-b010-44f5-be1b-aa4153b86dbe_global_bootstrap):
    error: update failed

  azure-native:containerregistry/v20201101preview:Token (acr-token):
    error: Code="PasswordCannotBeAdded" Message="New passwords can be added only through 'generateCredentials'. For more information on repository permissions, please visit <https://aka.ms/acr/repo-permissions>."

My creation code looks like this:

token, err := acr.NewToken(ctx, "acr-token", &acr.TokenArgs{
		Credentials: &acr.TokenCredentialsPropertiesArgs{
			Passwords: acr.TokenPasswordArray{
				acr.TokenPasswordArgs{
					Name: pulumi.String("password1"),
				},
				acr.TokenPasswordArgs{
					Name: pulumi.String("password2"),
				},
			}},
		RegistryName:      pulumi.String(parsedID.ResourceName),
		ResourceGroupName: pulumi.String(parsedID.ResourceGroup),
		ScopeMapId: pulumi.String(
			fmt.Sprintf(
				"/subscriptions/%s/resourceGroups/%s/providers/Microsoft.ContainerRegistry/registries/%s/scopeMaps/_repositories_push",
				parsedID.SubscriptionID,
				parsedID.ResourceGroup,
				parsedID.ResourceName,
			)),
		TokenName: pulumi.String(fmt.Sprintf("wiz-%s", s.Outpost.GetId())), // must start with a letter
	}, pulumi.Provider(azureProvider))

I’m also not sure how pulumi will manage the passwords - they are returned only once when generated

I have no idea but the error suggests you shouldn’t specify passwords and they will be auto-generated?

they are not generated, even if I generate them externally they are deleted if I run the stack again

If it’s returned, it will be saved in the resource outputs

The CLI is doing two requests, one to create the token object and another one to generate the credentials

So, you likely need to do the same (one resource and one extra request)

The thing is the go SDK doesn’t have an api for that (probably because it’s in preview), I can do the HTTP request myself but I was hoping pulumi would be able to simplify things for me

It’s not about preview… generateCredentials is a POST request, we don’t map POSTs to resources (because there’s no get/update/delete for them): https://github.com/Azure/azure-rest-api-specs/blob/master/specification/containerr[…]ainerRegistry/preview/2020-11-01-preview/containerregistry.json