I am trying to get the Pulumi API container to work - it keeps crashing/restarting over and over. There is some issue where it doesn't have permission to create an encryption key inside of itself. I got it working last night on a Linux VM on my laptop at home but this is all being done in a self-hosted, air gapped environment. But I'm getting an error that says

error loading OIDC key pairs: generating key: could not generate encrypted key: open /app/data/keys: permission denied

In the container I see the uid/gid is 2018:2018 but the keys folder is owned by 'nobody'. I tried setting my local ./keys folder to 2018:2018 as well.

api:
    image: localhost/pulumi/service:latest
    ports:
      - "8080:8080"
    environment:
      # ... your existing environment variables
    volumes:
      - type: bind
        source: ${PWD}/keys
        target: /app/data/keys
        bind:
          create_host_path: false

This is basically how my volume is being created. Any help would be appreciated, this isn't in my usual lane.

Hey @proud-cat-47110, my initial thought is that the

/app/data/keys

doesn't have the right ownership. I couldn't quite follow which permissions you changed. You mentioned that the container uid/gid was 2018:2018 but that the "keys" folder was still 'nobody'. Is this the keys folder in the container

/app/data/keys

? If it is then I think changing the permissions of your local

./keys

wouldn't fix the issue. At some point you will need to have a step where you change the ownership of

/app/data/keys

on the container as part of the startup or something so that it can be accessed