Hi #getting-started, trying to get started with pulumi + github actions. Using azure-native, and a service principal to login, I am hitting this error:

azure-native:resources:ResourceGroup (resourceGroup):
      error: building auth config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
      
  
      To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
      auth method - instructions for which can be found here:
      
      Alternatively you can authenticate using the Azure CLI by using a User Account.

azure/login was successful. Where are the "separate 'Authenticate using a Service Principal' auth method - instructions"? Is there a way or a workaround to use pulumi with azure authenticated using a service principal?

@flaky-school-82490 I hit similar Azure authentication messages as you have when I switched to using the automation api from my free standing Pulumi deployment program. I had previously done successful deployments when running Pulumi UP in CLI mode. There are plenty of examples of how to establish an authenticated CLI session based on a user login. When running a standalone Pulumi automation program I had to poke 4 authentication config values into a newly created workspace in my code to authenticate my program with Azure. The twists & turns of this experience can be read in my thread here starting a week ago.

Thanks for the pointer @icy-football-94152. I am not sure I am 100% following what is happening on that thread and how it could relate to my issue. I am not using the automation API nor am I getting any errors (403 or 401) from Azure. Just to be clear I have no issues logging into azure using a Service Principal or User credentials. The issue is the pulumi cli not supporting Service Principal credentials. Maybe @tall-librarian-49374 or @billowy-army-68599 would have some pointers on best course of action.

how are you setting your creds at the moment?

We do not support authenticating with a SP via az CLI, you have to setup your env variables for that.

Thanks @tall-librarian-49374, I had missed that part of the doc. Am I right in assuming that I need to install the pulumi cli on my github action worker for this to work? I do not see "config" in the list of the supported commands for pulumi/actions@v3: https://github.com/pulumi/actions#configuration

Check out https://www.pulumi.com/docs/guides/continuous-delivery/github-actions/

@tall-librarian-49374 yes, that's the example I used to get setup. It shows how to configure aws creds using aws-actions/configure-aws-credentials@v1. My stack is azure. I a able to az login successfully with service principal creds. I do not know how to configure pulumi to use the service principal, namely run:

pulumi config set azure-native:clientId <clientID>
pulumi config set azure-native:clientSecret <clientSecret> --secret
pulumi config set azure-native:tenantId <tenantID>
pulumi config set azure-native:subscriptionId <subscriptionID>

in github actions without having to install the pulumi cli on the worker...

You could also set them in env variables

I have set

ARM_CLIENT_ID

, 

ARM_CLIENT_SECRET

, 

ARM_TENANT_ID

, and 

ARM_SUBSCRIPTION_ID

as env variables (Actions secrets). How do I feed them to pulumi in a github action?

@flaky-school-82490 you don't need to run them inside the GitHub action, you run them locally and they get set in your stack configuration, which means they're inside your git repo. If that's not suitable, you can set them as env vars as Mikhail said: https://www.pulumi.com/docs/intro/cloud-providers/azure/#configuration To feed them to the action, you'd do something like this:

- uses: pulumi/actions@v3
        with:
          command: preview
          stack-name: dev
        env:
          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}

Cool @billowy-army-68599, I was missing the

env:
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}

part. Will try that right away.