https://pulumi.com logo
Powered by
p

prehistoric-account-60014

12/20/2019, 10:22 PM
Can somebody help with debugging a 
400
status code from the CLI? I’m attempting to run:
Copy code
pulumi config --verbose=3 --stack $PULUMI_STACK --config-file Pulumi.development.yaml --show-secrets --json)
but all I’m seeing is:
Copy code
error: could not decrypt configuration value: [400] Message authentication failed
I was hoping 
--verbose=3
would help a bit but there isn’t any extra information compared to the non-verbose run.
w

white-balloon-205

12/20/2019, 10:23 PM
Are you copying stack configuration that includes secrets between different stacks? Secrets are encrypted with a per-stack key, so cannot be tranferred between stacks. (if this is the case, the error message there is clearly not good)
p

prehistoric-account-60014

12/20/2019, 10:26 PM
The error message when that happens is actually great! What I’m trying to do here is to copy the values from a “virtual” stack 
development
into a new stack on each merge request. Because 
Pulumi.development.yaml
can’t just be copied, because of how the encryption is unique per stack, I’m getting the config JSON so that I can loop through it and set it in the new stack. Here’s the snippet:
Copy code
function test_pulumi() {
    PULUMI_STACK=test
    CI_ENVIRONMENT_SLUG=development
    CI=true

    pulumi login

    pulumi stack init $PULUMI_STACK || true

    if [[ "$CI_ENVIRONMENT_SLUG" != "production" ]] || [[ "$CI_ENVIRONMENT_SLUG" != "staging" ]]; then
    json="$(pulumi config --verbose=3 --stack $PULUMI_STACK --config-file Pulumi.development.yaml --show-secrets --json)"
    keys="$(echo $json | jq -r 'keys[]')"

    for key in $(echo $keys | tr '\n' ' ')
    do
      pulumi config --stack "$PULUMI_STACK" set "$key" "$(echo $json | jq -r '.["'"$key"'"].value')" $(if [ "$(echo $json | jq -r '.["'"$key"'"].secret')" = "true" ]; then echo "--secret"; fi)
    done
  fi
I removed the line where I set the token before 
pulumi login
.
The function’s called 
test_pulumi
because I’m reproducing this stuff locally after getting the 
400
in CI. Getting the 
400
locally as well.
I can get this to work if I change 
--stack $PULUMI_STACK
to 
--stack development
in the line where I get the JSON and that would be fine for now. I was just wondering if it wasn’t supported to decrypt from a config file that’s different from the current stack? (I’m like 99% sure that’s the issue here)
Ok, I’m going to move on and just specify the stack as 
development
instead of specifying the configuration file. I was trying to avoid this before because I didn’t want to hardcode the development stack, but hardcoding 
Pulumi.development.yaml
is basically the exact same thing. I’m guessing that the server returns a 
400
because it’s using the encryption key of 
$PULUMI_STACK
but attempting to decrypt 
Pulumi.development.yaml
which belongs to another stack and that makes perfect sense. I guess the error message could be a bit clearer but it was definitely an erroneous setup on my end. I guess I didn’t need any help 😅
Thanks anyway @white-balloon-205!
w

white-balloon-205

12/20/2019, 10:41 PM
Yes - that explanation makes sense. Definitely unsure why the error message you are seeing is what bubbles up - we’ll look into it.
p

prehistoric-account-60014

12/20/2019, 10:47 PM
Awesome, thanks!
3 Views
Powered by