creamy-fall-88031
03/09/2022, 9:02 PMname: Pulumi
on:
push:
branches:
- main
permissions:
id-token: write
contents: read
jobs:
up:
name: Update
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
with:
node-version: 14.x
- name: 'Azure login via CLI (Federated access)'
uses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- run: npm install
- uses: pulumi/actions@v3
with:
command: up
stack-name: dev
cloud-url: <azblob://state>
env:
PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
AZURE_KEYVAULT_AUTH_VIA_CLI: true
action azure/login@v1
finishes without any issues, but pulumi/actions@v3
fails with the following error
failed with an unhandled exception:
azure-native:resources:ResourceGroup aks-test error: building auth config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
billowy-army-68599
creamy-fall-88031
03/09/2022, 9:22 PMuses: azure/login@v1
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
works.
This one fails:
- uses: pulumi/actions@v3
with:
command: up
stack-name: dev
cloud-url: <azblob://state>
env:
PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_CONFIG_PASSPHRASE }}
AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
AZURE_KEYVAULT_AUTH_VIA_CLI: true
billowy-army-68599
creamy-fall-88031
03/09/2022, 9:33 PMAZURE_CLIENT_SECRET
and/or ARM_CLIENT_SECRET
. This is exactly what I am trying to avoid and what the tutorial you linked in your first reply suggests.billowy-army-68599
go-cloud
repocreamy-fall-88031
03/16/2022, 8:12 AMazure/login@v1
action works without any issues just as you described in your tutorial, but the actual deployment via pulumi/actions@v3
always fails when deploying via OIDC.
At this point I had to return to service principal authentication and store the secret at Github.