Hey all, happy new year! Does anyone know how to use the

config-map

option in the Pulumi GitHub action? I'm having trouble injecting secrets into it to create a new stack to access Azure with a

clientId

,

clientSecret

in the config. In my action I have a YAML string similar to the following (I've shortened it a lot here):

config-map: "{azure-native:location: {value: westeurope, secret: false}, azure-native:clientSecret: {value: ${{ secrets.AZURE_DETAILS.clientSecret }}, secret: true}, azure-native:tenantId: {value: my-guid, secret: false}}"
env:
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  ARM_CLIENT_ID: ${{ secrets.AZURE_DETAILS.clientId }}
  ARM_CLIENT_SECRET: ${{ secrets.AZURE_DETAILS.clientSecret }}
  ARM_TENANT_ID: ${{ secrets.AZURE_DETAILS.tenantId }}
  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_DETAILS.subscriptionId }}

But I receive an error when the Pulumi step runs, suggesting I've used the wrong `clientSecret`:

azure-native:resources:ResourceGroup rg-myrg- creating (0s) error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to <https://management.azure.com/subscriptions/my-subscription-id-guid/resourcegroups/rg-rg-myrg-a8fcf880?api-version=2019-05-01>: StatusCode=401 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: ***"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'my-app-guid'.\r\nTrace ID: 8d13de75-afd6-492a-8c0a-aea6ed140801\r\nCorrelation ID: b8fd878d-cbc3-46cf-a1ac-24607590db62\r\nTimestamp: 2023-01-04 11:22:21Z","error_codes":[7000215],"timestamp":"2023-01-04 11:22:21Z","trace_id":"8d13de75-afd6-492a-8c0a-aea6ed140801","correlation_id":"b8fd878d-cbc3-46cf-a1ac-24607590db62","error_uri":"<https://login.microsoftonline.com/error?code=7000215>"*** Endpoint <https://login.microsoftonline.com/my-tenant-id-guid/oauth2/token?api-version=1.0>

If I run the action without

config-map

and just target an existing stack, I can update and destroy the stack just fine. The credentials I'm using are the same in the config and in the

env

, they are from the same GitHub secret. It seems that GitHub secrets are not injected properly into the

config-map

YAML string, using the syntax I am. Though, no syntax is shown in the description and I can't find any examples.

That looks reasonable. Have you tested that config works locally (I'm not sure the exact names for azure-native configuration myself)? Might also be worth having a dummy step before hand that sets an envvar with the same config-map string and check that prints the string correctly (assuming this is a locked down repo that other people can't just look at the gha logs for)

Hey Fraser. Thanks for your response! I can confirm it works locally, we have the secret set as the same credentials we use locally. As for printing it, GitHub actions seem very good at catching my own stupidity, so I can't seem to be able to display a secret! I've just tried storing the secret as an envvar in the Pulumi step, then referencing that in the

config-map

string, which "seems" to get me a little further. I'm going to play around a bit more with it after lunch and will update on here!

Might just be needs some quote chars added, dunno if github would expand

${{ secrets.AZURE_DETAILS.clientSecret }}

to

"secret"

or just

secret

and you'd need the former if its in JSON style.

Good point, I will test that too.

We're not doing anything odd Github actions wise with this, its just using the gha sdk to get the action input: https://github.com/pulumi/actions/blob/master/src/config.ts#LL71

Yeah, that makes sense. I've found the issue now. I had a structured secret which contained the credentials to access the azure cli. GitHub docs say not to do this... Anyways, after changing that, it's happy. I will make a final comment on this thread and the following link to explain what I did to get this working: https://github.com/pulumi/actions/issues/716 I also have another issue now 🤦 but it's unrelated to this, so will put that back in general. Thanks for your time Fraser!