https://pulumi.com logo
Title
b

bright-truck-37455

06/23/2021, 9:19 AM
Hey everyone, I'm running Pulumi in Azure Pipelines, using Google Cloud Storage as state backend. The code works fine when executed from the terminal, but in Azure I get errors:
/azp/_work/_temp/0b544aa4-92cf-435d-8251-f13c7d45afb7/pulumi/pulumi login gs://***-pulumi-state
Logged in to ado-agent-7f5785674-jk6mj as root (gs://***-pulumi-state)

/azp/_work/_temp/0b544aa4-92cf-435d-8251-f13c7d45afb7/pulumi/pulumi stack select base -c
error: failed to load checkpoint: blob (key ".pulumi/stacks/base.json") (code=Unknown): Get "<https://storage.googleapis.com/***-pulumi-state/.pulumi/stacks/base.json>": oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"invalid_grant","error_description":"Invalid grant: account not found"}

##[error]Failed to select the stack 'base'.
I saw a similar thread for a case where developer was using Azure Blob Storage and it turned out that he had to set some additional env vars, is this the same case here?
b

billowy-army-68599

06/23/2021, 9:22 AM
this looks like your service account doesn't have permission to your GCS bucket
how do you auth to GCS?
b

bright-truck-37455

06/23/2021, 9:24 AM
By activating service account
gcloud auth activate-service-account --key-file=$(authkey.secureFilePath)
It has role to read objects from Cloud Storage
Shouldn't the
pulumi login
command fail in case the permissions are bad?
b

billowy-army-68599

06/23/2021, 10:05 AM
yeah I agree, a quick google of "invalid grant" does throw a lot of google related issues, so it does feel like a google perm issue though
b

bright-truck-37455

06/23/2021, 12:51 PM
@billowy-army-68599 thanks, got it figured out - Pulumi wouldn't accept any authentication methods except env var 🙂