I'm running a azure devops pipeline.
And am getting an issue related to pulumi not finding my stack which I keep in blob storage.
below the result from runnin gmy diagnosis bash script.
+ pulumi login --cloud-url azblob://{redacted}
Logged in to {redacted} as vsts (azblob://{redacted})
+ pulumi whoami
vsts
+ pulumi stack ls
NAME LAST UPDATE RESOURCE COUNT
2021-04-19T00
4347.2541639Z + pulumi stack select {mystack-redacted}
2021-04-19T00
4347.2550943Z error: constructing secrets manager of type "cloud": open keeper azurekeyvault://{redacted}.
vault.azure.net/keys/{redacted}/{redacted}: failed to Dial default KeyVault: failed to get oauth token from certificate auth: failed to decode pkcs12 certificate while creating spt: pkcs12: error reading P12 data: asn1: structure error: tags don't match (16 vs {class:1 tag:13 length:73 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pfxPdu @2
So, I use a service principal and certificate with password.
Now, I know that the stack {mystack-redacted} exists in my azure blob storage pulumi state.
I can access it from my local as myself (fcavaco)...
as Devops runs as vsts for the user, I am not sure that is the reason why pulumi fails to find the state file...?!
Check below the script am using to try and diagnose what's going on:
export AZURE_KEYVAULT_AUTH_VIA_CLI=false;
export RESOURCE_GROUP_NAME=$(PULUMISTORAGEACCOUNTRESOURCEGROUP)
export AZURE_STORAGE_ACCOUNT=${AZURE_STORAGE_ACCOUNT}
export AZURE_STORAGE_KEY=${AZURE_STORAGE_KEY}
export ARM_SUBSCRIPTION_ID=${SUBSCRIPTION_ID}
export ARM_CLIENT_ID=${servicePrincipalId}
export ARM_CLIENT_CERTIFICATE_PATH='./cert.pfx'
export ARM_CLIENT_CERTIFICATE_PASSWORD=$(MAINCLIENTCERTIFICATEPASSWORD)
export ARM_TENANT_ID=${tenantId}
export AZURE_CLIENT_ID=${servicePrincipalId}
export AZURE_CERTIFICATE_PATH='./cert.pfx'
export AZURE_CERTIFICATE_PASSWORD=$(MAINCLIENTCERTIFICATEPASSWORD)
export AZURE_TENANT_ID=${tenantId}
export AZURE_SUBSCRIPTION_ID=${SUBSCRIPTION_ID}
export STORAGE_CONTAINER_NAME=$(PULUMISTORAGECONTAINERNAME)
az account show #this does return expected principal id.
echo "##vso[task.prependpath]/home/vsts/.pulumi/bin"
pulumi login --cloud-url "azblob://${STORAGE_CONTAINER_NAME}" --cwd $PWD ;
pulumi whoami
pulumi stack ls
pulumi stack select ${{ variables.pulumi_stack }}
pulumi preview --diff -d --cwd $PWD
what am I doing wrong? or missing?
any help will be much appreciated.
Francisco