Channels
#general
Title
# general
d
damp-honey-93158
04/13/2022, 4:25 PMHi, I'm trying to get pulumi to build a docker image and then publish it to my newly created (in the same stack) ACR instance. The ACR has AdminUserEnable = true, and I figured I might be able to use the code in the pulumi docs (https://www.pulumi.com/blog/build-publish-containers-iac/) to get the credentials, then tag/publish the image. However, when I deploy I get this Diagnostics:
pulumipulumiStack (traffic-app-basic):
error: Running program 'G:\src\aks-pulumi\infrastructure\bin\Debug\netcoreapp3.1\infrastructure.dll' failed with an unhandled exception:
Grpc.Core.RpcException: Status(StatusCode="Unknown", Detail="invocation of azure-nativecontainerregistrygetRegistryCredentials returned an error: request failed /subscriptions/50d3206e-7317-4bce-b8ac-34ac81
4fd0f5/resourceGroups/aksrg-basic9f0f894e/providers/Microsoft.ContainerRegistry/registries/registrybasic303721fe/getCredentials: autorest/azure: Service returned an error. Status=400 Code="NoRegisteredProviderFou
nd" Message="No registered resource provider found for location 'switzerlandnorth' and API version '2016-06-27-preview' for type 'registries/GetCredentials'. The supported api-versions are '2016-06-27-preview'. T
he supported locations are 'westus, eastus, southcentralus, westeurope'."")
at async Task<InvokeResponse> Pulumi.GrpcMonitor.InvokeAsync(InvokeRequest request)
at async Task<SerializationResult> Pulumi.Deployment.InvokeRawAsync(string token, SerializationResult argsSerializationResult, InvokeOptions options)
at async Task<OutputData<T>> Pulumi.Deployment.RawInvoke<T>(string token, InvokeArgs args, InvokeOptions options)
at async Task<OutputData<U>> Pulumi.Output<T>.ApplyHelperAsync<U>(Task<OutputData<T>> dataTask, Func<T, Output<U>> func)
a
able-train-72108
04/13/2022, 8:15 PMI tried that too and the API was not available in my region (Canada), so what I did (in the CI) is that I run `docker login <name of my registry>.azurecr.io -u <service principal id that has push write on the registry> -p <service principal password>`then I don't have to get the credentials from the registry and the push can be pushed because docker daemon is logged in to ACR.
Locally, I only do
az acr login -n <name of my registry>🙏 1
d
damp-honey-93158
04/14/2022, 7:59 AMI'll give that a shot - I thought that is what the DockerBuild object was trying to do (as I changed over to service principals), but that fails as well. How did you get the SP password out of pulumi, its marked as a secret so unless I make an output and then use pulumi output "myspnpass" --show-secrets not sure how i would get that.
a
able-train-72108
04/14/2022, 3:06 PMIt is a service principal that I created with
az ad spbut if you create a SP with pulumi you can manage the password and the role assignment:
Copy code
// Create an AD service principal
var adApp = new Application("aks", new ApplicationArgs
{
DisplayName = "aks"
});
this.AdApplication = adApp.ApplicationId;
var adSp = new ServicePrincipal("aksSp", new ServicePrincipalArgs
{
ApplicationId = adApp.ApplicationId
});
// Create the Service Principal Password
var adSpPassword = new ServicePrincipalPassword("aksSpPassword", new ServicePrincipalPasswordArgs
{
ServicePrincipalId = adSp.Id
});
this.AdPassword = adSpPassword.Value;
_ = new AzureNative.Authorization.RoleAssignment("roleAssignment", new AzureNative.Authorization.RoleAssignmentArgs
{
PrincipalId = adSp.Id,
PrincipalType = "ServicePrincipal",
RoleDefinitionId = "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
Scope = "/subscriptions/<subscription id>/resourceGroups/<rg of the acr>/providers/Microsoft.ContainerRegistry/registries/<acr name>",
});👍 1
7 Views