better-shampoo-48884
03/14/2021, 2:16 PMpulumi new azure-typescript --secrets-provider <azurekeyvault://n00531.vault.azure.net/keys/pulumi-secrets> --logflow --logtostderr --verbose 9
Results in a typical flow, and I have created the key "pulumi-secrets", and the KeyVault was created by a stack (with local secrets and backend), but trying to set up a new stack like the command above results in this:
created stack 'sdfsf'
Sorry, could not create stack 'sdfsf': secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://(myvaultname).<http://vault.azure.net/keys/pulumi-secrets//encrypt?api-version=7.0|vault.azure.net/keys/pulumi-secrets//encrypt?api-version=7.0>: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Get "<http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>": dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'
I'm actually fairly curious as to where that IP for the refresh token is coming from.. I've had no such problems running pulumi up
just by being logged in by virtue of az cli..
(Edit: resolved - I did the hard work of doing everything except reading the last line of https://www.pulumi.com/docs/intro/concepts/secrets/#azure-key-vault where it tells me that if I want to use az cli auth with keyvault secrets I need to set AZURE_KEYVAULT_AUTH_VIA_CLI
to true
.)The default URL opener will use Dial, which gets default credentials from the environment, unless the AZURE_KEYVAULT_AUTH_VIA_CLI environment variable is set to true, in which case it uses DialUsingCLIAuth to get credentials from the "az" command line.Thus, setting that environment variable on my machine made everything happy. Should we perhaps update docs with this info?