https://pulumi.com logo
#azure
Title
# azure
b

busy-flower-16072

02/20/2023, 8:05 PM
I'm very new to Pulumi and ran into a question when authenticating using a service principal. Short-version, I'm doing a basic proof of concept just looking to create a management group hierarchy within Azure. When running this locally, I had no problems at all. However, now that i'm trying to incorporate that into an Azure DevOps pipeline (using a service principal), it's tossing out an error that: "A Subscription ID must be configured when authenticating as a Service Principal using a Client Secret." In the documentation, I see one of the required tokens that must be made available to Pulumi is the ARM_SUBSCRIPTION_ID. However, since I am provisioning management groups, there is no subscription per se... Is there any way around this? Something along the lines of the Azure CLI --allow-no-subscriptions flag that provides tenant level access.
Welp, sure enough... as long as I specify anything for the ARM_SUBSCRIPTION_ID (e.g., gibberish), it works.
i

icy-doctor-13719

02/20/2023, 9:24 PM
try using a pulumi AzureNative Provider resource … store those values (for example) in your configuration with the --secret flag
pulumi runs self contained in this case and should act the same locally and in CI runner. this way you wont have to add those environment variables to your CLI manually each time you open a new terminal too
b

busy-flower-16072

02/20/2023, 9:25 PM
Thanks Patrick... will def check this out!
i

icy-doctor-13719

02/20/2023, 9:25 PM
service principals will need to still be added to the subscription with minimum contributor role
otherwise how would they write to ARM 😅
4 Views