This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

04/13/2022, 4:25 PM

This message was deleted.

able-train-72108

04/13/2022, 8:15 PM

I tried that too and the API was not available in my region (Canada), so what I did (in the CI) is that I run `docker login <name of my registry>.azurecr.io -u <service principal id that has push write on the registry> -p <service principal password>`then I don't have to get the credentials from the registry and the push can be pushed because docker daemon is logged in to ACR. Locally, I only do

az acr login -n <name of my registry>

and then run pulumi up and because I have push writes to the registry, the image is pushed to the registry

🙏 1

damp-honey-93158

04/14/2022, 7:59 AM

I'll give that a shot - I thought that is what the DockerBuild object was trying to do (as I changed over to service principals), but that fails as well. How did you get the SP password out of pulumi, its marked as a secret so unless I make an output and then use pulumi output "myspnpass" --show-secrets not sure how i would get that.

able-train-72108

04/14/2022, 3:06 PM

It is a service principal that I created with

az ad sp

which is used in my CI pipeline.

able-train-72108

04/14/2022, 3:09 PM

but if you create a SP with pulumi you can manage the password and the role assignment:

Copy code

// Create an AD service principal
        var adApp = new Application("aks", new ApplicationArgs
        {
           DisplayName = "aks"
        });
        this.AdApplication = adApp.ApplicationId;

        var adSp = new ServicePrincipal("aksSp", new ServicePrincipalArgs
        {
            ApplicationId = adApp.ApplicationId
        });

        // Create the Service Principal Password
        var adSpPassword = new ServicePrincipalPassword("aksSpPassword", new ServicePrincipalPasswordArgs
        {
            ServicePrincipalId = adSp.Id
        });
        this.AdPassword = adSpPassword.Value;

        _ = new AzureNative.Authorization.RoleAssignment("roleAssignment", new AzureNative.Authorization.RoleAssignmentArgs
        {
            PrincipalId = adSp.Id,
            PrincipalType = "ServicePrincipal",
            RoleDefinitionId = "/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec",
            Scope = "/subscriptions/<subscription id>/resourceGroups/<rg of the acr>/providers/Microsoft.ContainerRegistry/registries/<acr name>",
        });

👍 1

16 Views

Open in Slack

Previous Next