https://pulumi.com logo
Title
i

icy-football-94152

06/25/2021, 9:16 AM
Pulumi Day-2. I am experiencing an Azure 403 authorization exception when running my C# Pulumi automation api program direct from the command line or as a debug run within Visual Studio, the 403 is thrown at the first resource access after stack.UpAsync(). The exception details indicate Pulumi is using the service principal config values I set up in code via stack.SetConfigAsync(). I suspect I have not copied the correct values from the Azure Dashboard because there are some differences in terminology between the Azure dashboard and the following 4 configure values I am providing in code: "azure-native:clientId", "azure-native:clientSecret", "azure-native:tenantId" and "azure-native:subscriptionId". Within the Dashboard the following values are available: Display name Application (client) ID Object ID Directory (tenant) ID Secret-ID Secret value Subscription ID
b

billowy-army-68599

06/25/2021, 9:17 AM
i

icy-football-94152

06/25/2021, 9:29 AM
Hmm re. the tenantID, I used the value from the Azure Enterprise Application I set up via the dashboard. I do not recall giving the enterprise application authorization to access the Azure resource management API's and just hoped this would cascade through from my main subscription. I will keep digging, I had assumed the first successful automation run would take a day to debug.
Some progress, I had to grant the Enterprise Application role=owner within the pre existing ResourceGroup that should host the resources accessed during stack.UpAsync() in my automation code. This Microsoft doc describes how to assign roles within the Azure Dashboard https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal After successfully creating a SQL Database my automation function is now failing at a later stage because for some reason an additional resource group is being created then being removed on the next UpAsync() test run. I need to tame these spurious resource group creations and persuade Pulumi to work within a single existing resource group.
b

billowy-army-68599

06/25/2021, 12:39 PM
An you share some of your code?
i

icy-football-94152

06/29/2021, 8:33 AM
@billowy-army-68599 Thanks for the offer to look at my code. I have resolved the problem myself, I had to add my automation program (Enterprise Application in Azure terminology) as an Access Control role for my main Azure subscription. This was done via the Azure Portal. Previously I had done the same for the fixed manually created resource-group used for all my Pulumi automation api deployments. This was a partial fix but the broader Pulumi resource api queries such as those issued by pulumi refresh failed without the role assignment to the main subscription.