04/19/2021, 12:56 AM
I'm running a azure devops pipeline. And am getting an issue related to pulumi not finding my stack which I keep in blob storage. below the result from runnin gmy diagnosis bash script. + pulumi login --cloud-url azblob://{redacted} Logged in to {redacted} as vsts (azblob://{redacted}) + pulumi whoami vsts + pulumi stack ls NAME LAST UPDATE RESOURCE COUNT 2021-04-19T00:43:47.2541639Z + pulumi stack select {mystack-redacted} 2021-04-19T00:43:47.2550943Z error: constructing secrets manager of type "cloud": open keeper azurekeyvault://{redacted}{redacted}/{redacted}: failed to Dial default KeyVault: failed to get oauth token from certificate auth: failed to decode pkcs12 certificate while creating spt: pkcs12: error reading P12 data: asn1: structure error: tags don't match (16 vs {class:1 tag:13 length:73 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pfxPdu @2 So, I use a service principal and certificate with password. Now, I know that the stack {mystack-redacted} exists in my azure blob storage pulumi state. I can access it from my local as myself (fcavaco)... as Devops runs as vsts for the user, I am not sure that is the reason why pulumi fails to find the state file...?! Check below the script am using to try and diagnose what's going on: export AZURE_KEYVAULT_AUTH_VIA_CLI=false; export RESOURCE_GROUP_NAME=$(PULUMISTORAGEACCOUNTRESOURCEGROUP) export AZURE_STORAGE_ACCOUNT=${AZURE_STORAGE_ACCOUNT} export AZURE_STORAGE_KEY=${AZURE_STORAGE_KEY} export ARM_SUBSCRIPTION_ID=${SUBSCRIPTION_ID} export ARM_CLIENT_ID=${servicePrincipalId} export ARM_CLIENT_CERTIFICATE_PATH='./cert.pfx' export ARM_CLIENT_CERTIFICATE_PASSWORD=$(MAINCLIENTCERTIFICATEPASSWORD) export ARM_TENANT_ID=${tenantId} export AZURE_CLIENT_ID=${servicePrincipalId} export AZURE_CERTIFICATE_PATH='./cert.pfx' export AZURE_CERTIFICATE_PASSWORD=$(MAINCLIENTCERTIFICATEPASSWORD) export AZURE_TENANT_ID=${tenantId} export AZURE_SUBSCRIPTION_ID=${SUBSCRIPTION_ID} export STORAGE_CONTAINER_NAME=$(PULUMISTORAGECONTAINERNAME) az account show #this does return expected principal id. echo "##vso[task.prependpath]/home/vsts/.pulumi/bin" pulumi login --cloud-url "azblob://${STORAGE_CONTAINER_NAME}" --cwd $PWD ; pulumi whoami pulumi stack ls pulumi stack select ${{ variables.pulumi_stack }} pulumi preview --diff -d --cwd $PWD what am I doing wrong? or missing? any help will be much appreciated. Francisco


04/19/2021, 2:56 AM
if you're using
needs to be set to


04/19/2021, 8:50 AM
@billowy-army-68599 that goes against what's written in all pulumi content have seen ? locally, if I login via a service principal in az client, when set to true, it will complain cannot do as a service principal user...?! but I will try and came back to this...thanks.
@billowy-army-68599 it seems now is getting the stack, and listing them. but on preview is asking for pulumi passphrase... which it seems not wired to the keyvault as secrets provider?! error: getting secrets manager: passphrase must be set with PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE environment variables