https://pulumi.com logo
Join Slack
Powered by
Hi guys is it possible to deploy infra on Azure vi...
# getting-started
c
Hi guys is it possible to deploy infra on Azure via Github Actions using OpenID Connect (federated identity access)? I would really like to avoid storing secrets in GitHub. This is the action file:
Copy code
name: Pulumi
on:
  push:
    branches:
      - main

permissions:
  id-token: write
  contents: read

jobs:
  up:
    name: Update
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: 14.x
      - name: 'Azure login via CLI (Federated access)'
        uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} 
      - run: npm install
      - uses: pulumi/actions@v3
        with:
          command: up
          stack-name: dev
          cloud-url: <azblob://state>       
        env:
          PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
          AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
          AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
          AZURE_KEYVAULT_AUTH_VIA_CLI: true
action 
azure/login@v1
finishes without any issues, but 
pulumi/actions@v3
fails with the following error
Copy code
failed with an unhandled exception:
azure-native:resources:ResourceGroup aks-test  error: building auth config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
b
c
This is exactly the tutorial I was following. As I wrote, logging in with the github actions example from this tutorial has no issues. But once I extend it to actually deploy some pulumi code - it fails with the error. So this part:
Copy code
uses: azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
works. This one fails:
Copy code
- uses: pulumi/actions@v3
        with:
          command: up
          stack-name: dev
          cloud-url: <azblob://state>       
        env:
          PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
          AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
          AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
          AZURE_KEYVAULT_AUTH_VIA_CLI: true
b
are you using an OSS backend?
c
self managed, state should be saved in azure blob file
What they are suggesting is using service principal and store the secret in 
AZURE_CLIENT_SECRET
and/or 
ARM_CLIENT_SECRET
. This is exactly what I am trying to avoid and what the tutorial you linked in your first reply suggests.
b
okay, so auth'ing with oidc means you're logged in as a service principal, example: https://github.com/jaxxstorm/secure-cloud-access/runs/4914761413?check_suite_focus=true#step:3:20 i'm not sure where the error is coming from, it should work
but it's possible the error is being thrown by the 
go-cloud
repo
which is what we use for OSS state storage
c
Hi again. Thank you very much for trying to help me. I just figured it out that actually you wrote the tutorial. 😄 So one more thing to thank you for. Just a small update. Although I've meddled with this issue for several days now, I was not able to make a successful deployment. The 
azure/login@v1
action works without any issues just as you described in your tutorial, but the actual deployment via 
pulumi/actions@v3
always fails when deploying via OIDC. At this point I had to return to service principal authentication and store the secret at Github.
3 Views
Open in Slack
PreviousNext
Powered by