https://pulumi.com logo
#general
Title
# general
b

better-shampoo-48884

03/14/2021, 2:16 PM
In other news, I'm trying to set up my newly created KeyVault as a backend - seeing as this is more to do with standard pulumi features than the azure provider, I figured it might be appropriate here rather than the azure channel.. Running:
pulumi new azure-typescript --secrets-provider <azurekeyvault://n00531.vault.azure.net/keys/pulumi-secrets> --logflow --logtostderr --verbose 9
Results in a typical flow, and I have created the key "pulumi-secrets", and the KeyVault was created by a stack (with local secrets and backend), but trying to set up a new stack like the command above results in this:
Copy code
created stack 'sdfsf'
Sorry, could not create stack 'sdfsf': secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://(myvaultname).<http://vault.azure.net/keys/pulumi-secrets//encrypt?api-version=7.0|vault.azure.net/keys/pulumi-secrets//encrypt?api-version=7.0>: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Get "<http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>": dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'
I'm actually fairly curious as to where that IP for the refresh token is coming from.. I've had no such problems running
pulumi up
just by being logged in by virtue of az cli.. (Edit: resolved - I did the hard work of doing everything except reading the last line of https://www.pulumi.com/docs/intro/concepts/secrets/#azure-key-vault where it tells me that if I want to use az cli auth with keyvault secrets I need to set
AZURE_KEYVAULT_AUTH_VIA_CLI
to
true
.)
1
Essentially it seems to be doing https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http But I'm running this from my laptop.. which is definitely not a machine running in Azure.
Right - a bit of digging around figured it out. So this is the thing: • secrets backend for pulumi -> keyvault: https://github.com/pulumi/pulumi/blob/c20bdbe945df331447f64c6d629387ee70c781ba/pkg/secrets/cloud/manager.go#L26 • Found that at https://pkg.go.dev/gocloud.dev/secrets/azurekeyvault#hdr-URLs • That includes the instruction:
The default URL opener will use Dial, which gets default credentials from the environment, unless the AZURE_KEYVAULT_AUTH_VIA_CLI environment variable is set to true, in which case it uses DialUsingCLIAuth to get credentials from the "az" command line.
Thus, setting that environment variable on my machine made everything happy. Should we perhaps update docs with this info?
🙌 1
And, had I bothered to read the last line of documentation, I would even have seen that it actually said exactly that. Good job me. /closes fork
4 Views