acoustic-dress-83560
01/04/2023, 11:31 AMconfig-map
option in the Pulumi GitHub action?
I'm having trouble injecting secrets into it to create a new stack to access Azure with a clientId
, clientSecret
in the config.
In my action I have a YAML string similar to the following (I've shortened it a lot here):
config-map: "{azure-native:location: {value: westeurope, secret: false}, azure-native:clientSecret: {value: ${{ secrets.AZURE_DETAILS.clientSecret }}, secret: true}, azure-native:tenantId: {value: my-guid, secret: false}}"
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
ARM_CLIENT_ID: ${{ secrets.AZURE_DETAILS.clientId }}
ARM_CLIENT_SECRET: ${{ secrets.AZURE_DETAILS.clientSecret }}
ARM_TENANT_ID: ${{ secrets.AZURE_DETAILS.tenantId }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_DETAILS.subscriptionId }}
But I receive an error when the Pulumi step runs, suggesting I've used the wrong `clientSecret`:
azure-native:resources:ResourceGroup rg-myrg- creating (0s) error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to <https://management.azure.com/subscriptions/my-subscription-id-guid/resourcegroups/rg-rg-myrg-a8fcf880?api-version=2019-05-01>: StatusCode=401 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: ***"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'my-app-guid'.\r\nTrace ID: 8d13de75-afd6-492a-8c0a-aea6ed140801\r\nCorrelation ID: b8fd878d-cbc3-46cf-a1ac-24607590db62\r\nTimestamp: 2023-01-04 11:22:21Z","error_codes":[7000215],"timestamp":"2023-01-04 11:22:21Z","trace_id":"8d13de75-afd6-492a-8c0a-aea6ed140801","correlation_id":"b8fd878d-cbc3-46cf-a1ac-24607590db62","error_uri":"<https://login.microsoftonline.com/error?code=7000215>"*** Endpoint <https://login.microsoftonline.com/my-tenant-id-guid/oauth2/token?api-version=1.0>
If I run the action without config-map
and just target an existing stack, I can update and destroy the stack just fine. The credentials I'm using are the same in the config and in the env
, they are from the same GitHub secret.
It seems that GitHub secrets are not injected properly into the config-map
YAML string, using the syntax I am. Though, no syntax is shown in the description and I can't find any examples.echoing-dinner-19531
01/04/2023, 11:56 AMacoustic-dress-83560
01/04/2023, 12:09 PMconfig-map
string, which "seems" to get me a little further. I'm going to play around a bit more with it after lunch and will update on here!echoing-dinner-19531
01/04/2023, 12:26 PM${{ secrets.AZURE_DETAILS.clientSecret }}
to "secret"
or just secret
and you'd need the former if its in JSON style.acoustic-dress-83560
01/04/2023, 1:13 PMDiagnostics:
azure-native:resources:ResourceGroup (rg-myrg-):
error: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.
echoing-dinner-19531
01/04/2023, 3:36 PMacoustic-dress-83560
01/04/2023, 4:09 PMyaml
- name: Deploy with pulumi
uses: pulumi/actions@v3
with:
command: preview
stack-name: dev
work-dir: infra
config-map: "{
azure-native:clientId: {value: '${{ secrets.AZURE_DETAILS_CLIENT_ID }}', secret: false},
azure-native:clientSecret: {value: '${{ secrets.AZURE_DETAILS_CLIENT_SECRET }}', secret: true},
azure-native:location: {value: 'westeurope', secret: false},
azure-native:subscriptionId: {value: '${{ secrets.AZURE_DETAILS_SUBSCRIPTION_ID }}', secret: false},
azure-native:tenantId: {value: '${{ secrets.AZURE_DETAILS_TENANT_ID }}', secret: false},
environment:size: {value: 'xs', secret: false},
environment:type: {value: 'testing', secret: false}
}"
You can use multi-line double-quoted strings to help make it easier on the eyes.
When expanding GitHub variables, wrap them in single-quotes.