Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
d
damp-lock-9822
02/07/2023, 5:52 PMI am trying to automate cluster registry key rotation with pulumi, azure, & K8s. I've imported the tokens from Azure AD into my pulumi stack and am checking whether they are set to expire anytime soon. If so, I generate a new token. However, I need to generate and utilize the value of the token password so that I can then apply it to the cluster's dockerconfig. Does anyone know of a way to access the value of the password generated when a new token is created? I see that in the "Supporting Types" for the Token object is "TokenCredentialsPropertiesResponse" (which includes the TokenPasswordResponse, with property 'value' which is what I'm after). However I can't find a way to access that property. Any help would be much appreciated!
m
melodic-tomato-39005
02/07/2023, 6:50 PMHi Sarah, there’s a package-level resource method [containerregistry:get_token](https://www.pulumi.com/registry/packages/azure-native/api-docs/containerregistry/gettoken/) which returns TokenCredentialsPropertiesResponse. The exact method name depends on the programming language. Hope that helps!
d
damp-lock-9822
02/07/2023, 8:53 PMThanks! I tried this approach and keep running into an error. I'm not sure what could be causing it, I'm simply calling azure_native.containerregistry.get_token with the registry_name, resource_group_name, and token_name specified. Have you seen behavior like this?
File "/home/sarah/.local/lib/python3.10/site-packages/pulumi/runtime/invoke.py", line 103, in do_invoke
return monitor.Invoke(req), None
AttributeError: 'NoneType' object has no attribute 'Invoke'm
melodic-tomato-39005
02/07/2023, 8:59 PMHmm, not good. Can you post your
pulumi aboutd
damp-lock-9822
02/07/2023, 9:25 PMCLI
Version 3.54.0
Go Version go1.20
Go Compiler gc
Plugins
NAME VERSION
azure 5.32.0
azure-native 1.93.0
python unknown
Host
OS ubuntu
Version 22.04
Arch x86_64
This project is written in python: executable='/usr/bin/python3' version='3.10.6
'
Current Stack: sarah.wheeler/inline_key_project/dev2
TYPE URN
pulumi:pulumi:Stack urn:pulumi:dev2::inline_key_project::pulumi:pulumi:Stack::inline_key_project-dev2
pulumi:providers:azure-native urn:pulumi:dev2::inline_key_project::pulumi:providers:azure-native::default_1_93_0
azure-native:containerregistry:Token urn:pulumi:dev2::inline_key_project::azure-native:containerregistry:Token::rock1
azure-native:containerregistry:Token urn:pulumi:dev2::inline_key_project::azure-native:containerregistry:Token::rock2
azure-native:containerregistry:Registry urn:pulumi:dev2::inline_key_project::azure-native:containerregistry:Registry::statelesstestregistry
Found no pending operations associated with sarah.wheeler/inline_key_project/dev2
Backend
Name <http://pulumi.com|pulumi.com>
URL <https://app.pulumi.com/sarah.wheeler>
User sarah.wheeler
Organizations sarah.wheeler
Dependencies:
NAME VERSION
pip 23.0.0
pulumi-azure 5.32.0
pulumi-azure-native 1.93.0
setuptools 67.1.0
wheel 0.38.4
Pulumi locates its logs in /tmp by defaultIs it possible that all of the opts values need to be defined for it to work as intended?
m
melodic-tomato-39005
02/08/2023, 5:48 PMThat’s quite likely. I noticed that the docs have the red asterisk meaning “required” on all arguments, but the Python SDK has them as
OptionalI’m trying to repro this. Which of the three arguments did you specify?
d
damp-lock-9822
02/08/2023, 6:23 PMI specified the first 3 (registry_name, resource_group_name, and token_name)
I also tried adding an opts value with the version string, but that didn't change anything
m
melodic-tomato-39005
02/08/2023, 7:52 PMIf you specified all three it should definitely work.
Here’s a sample program that works for me to create and then retrieve a token, although it has no passwords - creating a token with a password fails for me with
New passwords can be added only through ‘generateCredentials’Maybe a separate issue. I do not get the
NoneType"""An Azure RM Python Pulumi program"""
import pulumi
from pulumi_azure_native import resources
from pulumi_azure_native import containerregistry
resource_group = resources.ResourceGroup('resource_group')
registry = containerregistry.Registry("registry",
admin_user_enabled=True,
location="westus",
resource_group_name=resource_group.name,
sku=containerregistry.SkuArgs(
name="Standard",
))
token = containerregistry.Token("token",
credentials=containerregistry.TokenCredentialsPropertiesArgs(
#passwords=[containerregistry.TokenPasswordArgs(name="password1")]
),
registry_name=registry.name,
resource_group_name=resource_group.name,
)
retrieved_token = containerregistry.get_token_output(
resource_group_name=resource_group.name,
registry_name=registry.name,
token_name=token.name)
pulumi.export("token", retrieved_token)d
damp-lock-9822
02/08/2023, 8:13 PMI see. Are you able to run it with the get_token function rather than the get_token_output function?
m
melodic-tomato-39005
02/08/2023, 9:02 PMAfter the registry and the token are created, I am. But if they’re not,
get_token_outputd
damp-lock-9822
02/08/2023, 9:06 PMIn my program, I'm importing the registry and token from a cloud provider (rather than creating new resources). Would you expect get_token to fail in that case as well?
m
melodic-tomato-39005
02/08/2023, 9:12 PMHmm, I think not. But you could try get_token_output to be sure.
I still don’t understand your
AttributeError: 'NoneType'd
damp-lock-9822
02/08/2023, 9:37 PMIt must be because I was trying to use get_token rather than get_token_output?
Using get_token_output works for me.. But I was hoping to use it to retrieve the value associated with the password of the token. It looks like the value is None. Do you know if it's possible to retrieve the password value like this?
m
melodic-tomato-39005
02/08/2023, 9:43 PMFor me, the output - for a token without passwords - is
token: {
creation_date : "2023-02-08T19:51:37.6106474+00:00"
credentials : {
passwords: []
}
...passwordsd
damp-lock-9822
02/08/2023, 9:47 PM{
"creation_date": "2023-02-01T21:57:55.2833905+00:00",
"credentials": {
"passwords": [
{
"creation_time": "2023-02-01T21:58:16.506488+00:00",
"expiry": "2024-02-01T21:58:08.164+00:00",
"name": "password1",
"value": null
}
]
},Also- you said it didn't allow you to input a password during token creation, right? I assume it doesn't create one for you, but requires you to use 'generateCredentials' as you noted. Do you know where that function lives?
m
melodic-tomato-39005
02/08/2023, 10:18 PMI don’t think generateCredentials is present in Pulumi since it’s a data-plane operation and therefore not modeled in the Azure API specs.
Another thing that occurred to me: the default Azure API version for containerregistry in azure-native is from 2019, quite old. (We’re working on an update.) You could try using a newer one like so:
token = containerregistry.v20221201.Token("token"…containerregistry.v20221201.get_tokenI doubt that Pulumi retrieves the password from Azure and then swallows it. I’d guess it’s an Azure thing, but not 100% sure.
I need to log off for other projects for now but keep me posted. If it doesn’t work I’ll file some issues tomorrow.
d
damp-lock-9822
02/08/2023, 10:20 PMOkay, thanks for all your help! I'll keep you posted
I haven't been able to successfully create a token with a password using the Azure API. And if I create one without a password, I can't find a way to add one to it after the fact
m
melodic-tomato-39005
02/09/2023, 4:57 PMugh, that sounds painful