Can somebody help with debugging a `400` status code from th Pulumi Community #general

Join Slack

Can somebody help with debugging a `400` status co...

# general

prehistoric-account-60014

12/20/2019, 10:22 PM

Can somebody help with debugging a

status code from the CLI? I’m attempting to run:

Copy code

pulumi config --verbose=3 --stack $PULUMI_STACK --config-file Pulumi.development.yaml --show-secrets --json)

but all I’m seeing is:

Copy code

error: could not decrypt configuration value: [400] Message authentication failed

I was hoping

--verbose=3

would help a bit but there isn’t any extra information compared to the non-verbose run.

white-balloon-205

12/20/2019, 10:23 PM

Are you copying stack configuration that includes secrets between different stacks? Secrets are encrypted with a per-stack key, so cannot be tranferred between stacks. (if this is the case, the error message there is clearly not good)

prehistoric-account-60014

12/20/2019, 10:26 PM

The error message when that happens is actually great! What I’m trying to do here is to copy the values from a “virtual” stack

development

into a new stack on each merge request. Because

Pulumi.development.yaml

can’t just be copied, because of how the encryption is unique per stack, I’m getting the config JSON so that I can loop through it and set it in the new stack. Here’s the snippet:

Copy code

function test_pulumi() {
    PULUMI_STACK=test
    CI_ENVIRONMENT_SLUG=development
    CI=true

    pulumi login

    pulumi stack init $PULUMI_STACK || true

    if [[ "$CI_ENVIRONMENT_SLUG" != "production" ]] || [[ "$CI_ENVIRONMENT_SLUG" != "staging" ]]; then
    json="$(pulumi config --verbose=3 --stack $PULUMI_STACK --config-file Pulumi.development.yaml --show-secrets --json)"
    keys="$(echo $json | jq -r 'keys[]')"

    for key in $(echo $keys | tr '\n' ' ')
    do
      pulumi config --stack "$PULUMI_STACK" set "$key" "$(echo $json | jq -r '.["'"$key"'"].value')" $(if [ "$(echo $json | jq -r '.["'"$key"'"].secret')" = "true" ]; then echo "--secret"; fi)
    done
  fi

prehistoric-account-60014

12/20/2019, 10:26 PM

I removed the line where I set the token before

pulumi login

prehistoric-account-60014

12/20/2019, 10:28 PM

The function’s called

test_pulumi

because I’m reproducing this stuff locally after getting the

in CI. Getting the

locally as well.

prehistoric-account-60014

12/20/2019, 10:29 PM

I can get this to work if I change

--stack $PULUMI_STACK

--stack development

in the line where I get the JSON and that would be fine for now. I was just wondering if it wasn’t supported to decrypt from a config file that’s different from the current stack? (I’m like 99% sure that’s the issue here)

prehistoric-account-60014

12/20/2019, 10:34 PM

Ok, I’m going to move on and just specify the stack as

development

instead of specifying the configuration file. I was trying to avoid this before because I didn’t want to hardcode the development stack, but hardcoding

Pulumi.development.yaml

is basically the exact same thing. I’m guessing that the server returns a

because it’s using the encryption key of

$PULUMI_STACK

but attempting to decrypt

Pulumi.development.yaml

which belongs to another stack and that makes perfect sense. I guess the error message could be a bit clearer but it was definitely an erroneous setup on my end. I guess I didn’t need any help 😅

prehistoric-account-60014

12/20/2019, 10:35 PM

Thanks anyway @white-balloon-205!

white-balloon-205

12/20/2019, 10:41 PM

Yes - that explanation makes sense. Definitely unsure why the error message you are seeing is what bubbles up - we’ll look into it.

prehistoric-account-60014

12/20/2019, 10:47 PM

Awesome, thanks!

5 Views

Open in Slack

Previous Next