https://pulumi.com logo
Join Slack
Powered by
When running locally I seem to be able to get my r...
# azure
l
When running locally I seem to be able to get my resource group name however when running in github/actions with managed identity i run into this error:
Copy code
<ref *1> Error: invocation of azure-native:resources:getResourceGroup returned an error: request failed /subscriptions//resourcegroups/MyResourceGroup: ManagedIdentityCredential: failed to authenticate a system assigned identity. The endpoint responded with {"error":"invalid_request","error_description":"Identity not found"}
I have two subscriptions for different environments Dev and Prod with the same MyResourceGroup name could that be the issue? I double checked my azure login and the subscription id is correct to the Dev subscription. code used to get the resource group
Copy code
import { configDotenv } from "dotenv";
import * as pulumi from "@pulumi/pulumi";
import * as esc from "@pulumi/esc-sdk";

import { web, resources, storage } from "@pulumi/azure-native";
...
const resourceGroup = await resources.getResourceGroup({
  resourceGroupName: "MyResourceGroup",
});
...
added the ARM_SUBSCRIPTION_ID but getting
Copy code
ManagedIdentityCredential authentication failed. the requested identity isn't assigned to this resource
Wierd as the identity has role contributor for the resource group
m
Can you share your configuration file (without the real sensitive values) and your pipeline ? Does it work with OpenID Connect ?
l
Copy code
name: Infrastructure Deployment
on:
  workflow_call:
    inputs:
      environment:
        required: true
        type: string
      pulumi-stack:
        required: true
        type: string
      pulumi-environment:
        required: true
        type: string
      infra-path:
        required: true
        type: string
    secrets:
      AZURE_CLIENT_ID:
        required: true
      AZURE_TENANT_ID:
        required: true
      AZURE_SUBSCRIPTION_ID:
        required: true
      PULUMI_ACCESS_TOKEN:
        required: true
jobs:
  pulumi:
    name: Infrastructure
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    environment: ${{ inputs.environment }}
    env:
      NODE_OPTIONS: "--max-old-space-size=4096"
      PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
      PULUMI_ENV: ${{ inputs.pulumi-environment }}
      ARM_USE_MSI: true
      ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
      ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
    steps:
      - name: touch .env file
        run: |
          # Create a .env file to ensure it exists
          echo "Creating .env file"
          touch .env
          echo "PULUMI_ACCESS_TOKEN=${{ secrets.PULUMI_ACCESS_TOKEN }}" >> .env
          echo "PULUMI_ENV=${{ inputs.pulumi-environment }}" >> .env
      - name: Checkout repository
        uses: actions/checkout@v4
      - uses: pnpm/action-setup@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version-file: ".nvmrc"
          cache: "pnpm"
      - name: Install dependencies
        run: pnpm install
      - name: Azure Login
        uses: azure/login@v2
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
      - name: Setup Pulumi
        uses: pulumi/actions@v5
        with:
          command: "up"
          stack-name: ${{ inputs.pulumi-stack }}
          work-dir: ${{ inputs.infra-path }}
      - name: Clean .env file
        run: |
          # Remove the .env file after use
          echo "Cleaning up .env file"
          rm -f .env
Open in Slack
PreviousNext
Powered by