https://pulumi.com logo
Title
f

future-analyst-18745

11/28/2022, 12:02 AM
[Updates: see replies] Is there a better guide than this https://www.pulumi.com/docs/guides/continuous-delivery/github-actions/ for Pulumi + GitHub Actions + Azure? If not, does this still work? I'm stuck
[Update: this does not work "error: Authenticating using the Azure CLI is only supported as a User (not a Service Principal)."] One difference so far:
- name: Azure Login
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}
[Update: encountered auth error] This worked:
name: Pulumi
on:
  push:
    branches:
      - main
jobs:
  update:
    name: Update
    runs-on: ubuntu-latest
    defaults:
      run:
        working-directory: <path/to/go.mod>
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-go@v2
        with:
          go-version: 1.19.x
      - name: Azure Login
        uses: azure/login@v1
        with:
          creds: ${{ secrets.AZURE_CREDENTIALS }}
      - run: go mod download
      - uses: pulumi/actions@v3
        with:
          work-dir: <path/to/go.mod>
          command: up
          stack-name: org-name/stack-name # When using an individual account, only use stack-name.
        env:
          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Side note: https://github.com/Azure/login#configure-a-service-principal-with-a-secret
Note: The above
az ad sp create-for-rbac
command will give you the
--sdk-auth
deprecation warning. As we are working with CLI for this deprecation process, we strongly recommend users to use this
--sdk-auth
flag as the result dictionary output changes and not accepted by login action if
--sdk-auth
is not used.
Current problem:
Could not create application: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2022-11-28T16:57:29","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"c25989a6-dfb0-4e49-ad1a-0ce14dac8758"}}]
I found a solution... tl;dr
az role assignment create --assignee "servicePrincipalIdPlaceholder" --role "Owner" --subscription "subscriptionIdPlaceholder"
az rest --method post --uri <https://graph.microsoft.com/v1.0/servicePrincipals/60b3f8d5-92c6-4f51-93f0-8d0f0825cf9d/appRoleAssignedTo> --body '{ "principalId": "servicePrincipalIdPlaceholder", "resourceId": "subscriptionIdPlaceholder", "appRoleId": "1cda74f2-2616-4834-b122-5cb1b07f8a59" }'
az rest --method post --uri <https://graph.microsoft.com/v1.0/servicePrincipals/60b3f8d5-92c6-4f51-93f0-8d0f0825cf9d/appRoleAssignedTo> --body '{ "principalId": "servicePrincipalIdPlaceholder", "resourceId": "subscriptionIdPlaceholder", "appRoleId": "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175" }'