https://pulumi.com logo
Title
f

flaky-school-82490

07/01/2021, 7:49 AM
Hi #getting-started, trying to get started with pulumi + github actions. Using azure-native, and a service principal to login, I am hitting this error:
azure-native:resources:ResourceGroup (resourceGroup):
      error: building auth config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
      
  
      To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
      auth method - instructions for which can be found here:
      
      Alternatively you can authenticate using the Azure CLI by using a User Account.
azure/login was successful. Where are the "separate 'Authenticate using a Service Principal' auth method - instructions"? Is there a way or a workaround to use pulumi with azure authenticated using a service principal?
It does not look like azure/login action supports User login (https://github.com/Azure/login/blob/master/src/main.ts#L102).
i

icy-football-94152

07/01/2021, 10:52 AM
@flaky-school-82490 I hit similar Azure authentication messages as you have when I switched to using the automation api from my free standing Pulumi deployment program. I had previously done successful deployments when running Pulumi UP in CLI mode. There are plenty of examples of how to establish an authenticated CLI session based on a user login. When running a standalone Pulumi automation program I had to poke 4 authentication config values into a newly created workspace in my code to authenticate my program with Azure. The twists & turns of this experience can be read in my thread here starting a week ago.
f

flaky-school-82490

07/01/2021, 1:00 PM
Thanks for the pointer @icy-football-94152. I am not sure I am 100% following what is happening on that thread and how it could relate to my issue. I am not using the automation API nor am I getting any errors (403 or 401) from Azure. Just to be clear I have no issues logging into azure using a Service Principal or User credentials. The issue is the pulumi cli not supporting Service Principal credentials. Maybe @tall-librarian-49374 or @billowy-army-68599 would have some pointers on best course of action.
b

billowy-army-68599

07/01/2021, 1:02 PM
how are you setting your creds at the moment?
t

tall-librarian-49374

07/01/2021, 1:14 PM
We do not support authenticating with a SP via az CLI, you have to setup your env variables for that.
f

flaky-school-82490

07/01/2021, 1:55 PM
Thanks @tall-librarian-49374, I had missed that part of the doc. Am I right in assuming that I need to install the pulumi cli on my github action worker for this to work? I do not see "config" in the list of the supported commands for pulumi/actions@v3: https://github.com/pulumi/actions#configuration
@billowy-army-68599 locally, I use the az cli. Remotely (on github actions), I use:
uses: azure/login@v1
with:
  creds: ${{ secrets.AZURE_CREDENTIALS }}
t

tall-librarian-49374

07/01/2021, 1:58 PM
f

flaky-school-82490

07/01/2021, 2:06 PM
@tall-librarian-49374 yes, that's the example I used to get setup. It shows how to configure aws creds using aws-actions/configure-aws-credentials@v1. My stack is azure. I a able to az login successfully with service principal creds. I do not know how to configure pulumi to use the service principal, namely run:
pulumi config set azure-native:clientId <clientID>
pulumi config set azure-native:clientSecret <clientSecret> --secret
pulumi config set azure-native:tenantId <tenantID>
pulumi config set azure-native:subscriptionId <subscriptionID>
in github actions without having to install the pulumi cli on the worker...
t

tall-librarian-49374

07/01/2021, 2:08 PM
You could also set them in env variables
f

flaky-school-82490

07/01/2021, 2:09 PM
I have set
ARM_CLIENT_ID
ARM_CLIENT_SECRET
ARM_TENANT_ID
, and 
ARM_SUBSCRIPTION_ID
as env variables (Actions secrets). How do I feed them to pulumi in a github action?
b

billowy-army-68599

07/01/2021, 2:10 PM
@flaky-school-82490 you don't need to run them inside the GitHub action, you run them locally and they get set in your stack configuration, which means they're inside your git repo. If that's not suitable, you can set them as env vars as Mikhail said: https://www.pulumi.com/docs/intro/cloud-providers/azure/#configuration To feed them to the action, you'd do something like this:
- uses: pulumi/actions@v3
        with:
          command: preview
          stack-name: dev
        env:
          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
👍 1
f

flaky-school-82490

07/01/2021, 2:12 PM
Cool @billowy-army-68599, I was missing the
env:
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
part. Will try that right away.
Thanks a lot @billowy-army-68599 @tall-librarian-49374! That worked!
🎉 1
Any thoughts on why AzureB2CTenant creation would work when running from a local pulumi cli, but not from github actions? Could it be related to authentication method? Getting this error:
Diagnostics:
    pulumi:pulumi:Stack (clarifi-cloud-demo-dev):
      error: update failed

    azure-native:azureactivedirectory:B2CTenant (b2cTenant):
      error: pollingTrackerBase#updateRawBody: failed to unmarshal response body: StatusCode=0 -- Original Error: invalid character 'Y' looking for beginning of value