pulumi-azure-native
pulumi-azure-native copied to clipboard
Published
20 hours ago •
pulumi
pulumi
OIDC config not working
trafficstars
What happened?
I am trying to get the action working with an oidc setup for github. Azure cli is able to login in with OIDC. Any help would be really appreciated.
Edit: If i use a service principal credential(same app registration) instead of OIDC with the same permissions, it works. It is specifically failing when doing something with a azure_native.app.v20230501.ContainerApp resource. If I remove that resource it works out.
Example
Run pulumi/[email protected]
Configured range: ^3
/usr/local/bin/pulumi version
v3.101.1
Pulumi version 3.101.1 is already installed on this machine. Skipping download
Logging into the Pulumi Cloud backend.
pulumi up on orgnologies/test
Updating (orgnologies/test)
View Live: https://app.pulumi.com/org/app-infra-app/test/updates/54
pulumi:pulumi:Stack: (same)
[urn=urn:pulumi:test::org-infra-app::pulumi:pulumi:Stack::org-infra-app-test]
@ Updating....
> pulumi:pulumi:StackReference: (read)
[id=org/app-infra-base/test]
[urn=urn:pulumi:test::org-infra-app::pulumi:pulumi:StackReference::org/app-infra-base/test]
name: "org/app-infra-base/test"
@ Updating....
Resources:
5 unchanged
Duration: 36s
/home/runner/work/_actions/pulumi/actions/v4.4.0/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/errors.js:77
: new CommandError(result);
^
CommandError: code: -2
stdout:
stderr: Command failed with exit code 255: pulumi up --yes --skip-preview --diff --exec-agent pulumi/actions@v3 --color auto --exec-kind auto.local --stack orgnologies/test --non-interactive
[resource plugin azure-native-2.23.0] installing
error: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
auth method - instructions for which can be found here: https://www.pulumi.com/docs/intro/cloud-providers/azure/setup/#service-principal-authentication
Alternatively you can authenticate using the Azure CLI by using a User Account.
Updating (org/test)
View Live: https://app.pulumi.com/org/app-infra-app/test/updates/54
pulumi:pulumi:Stack: (same)
[urn=urn:pulumi:test::org-infra-app::pulumi:pulumi:Stack::org-infra-app-test]
@ Updating....
> pulumi:pulumi:StackReference: (read)
[id=org/app-infra-base/test]
[urn=urn:pulumi:test::org-infra-app::pulumi:pulumi:StackReference::org/app-infra-base/test]
name: "org/app-infra-base/test"
@ Updating....
Resources:
5 unchanged
Duration: 36s
err?: Error: Command failed with exit code 255: pulumi up --yes --skip-preview --diff --exec-agent pulumi/actions@v3 --color auto --exec-kind auto.local --stack orgnologies/test --non-interactive
[resource plugin azure-native-2.23.0] installing
error: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
auth method - instructions for which can be found here: https://www.pulumi.com/docs/intro/cloud-providers/azure/setup/#service-principal-authentication
Alternatively you can authenticate using the Azure CLI by using a User Account.
Updating (org/test)
Output of pulumi about
Pulumi version 3.101.1 [resource plugin azure-native-2.23.0]
Additional context
Workflow file looks like this:
name: Pulumi Preview of App
on:
pull_request:
types: [opened, synchronize, reopened]
branches:
- master
workflow_dispatch:
env:
ORG: org
STACK: test
defaults:
run:
working-directory: infra/app/
jobs:
preview:
# needs: changes
# if: ${{needs.changes.outputs.changed == 'true' }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: pnpm/action-setup@v2
name: Install pnpm
with:
version: 7
run_install: false
- uses: actions/setup-node@v3
with:
node-version: '18'
cache: 'pnpm'
- name: Install dependencies
run: pnpm install .
- name: Azure login
uses: azure/[email protected]
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# - uses: pulumi/actions@v4
- uses: pulumi/actions@v4
with:
command: preview
stack-name: ${{ env.ORG }}/${{ env.STACK }}
comment-on-pr: true
github-token: ${{ secrets.GITHUB_TOKEN }}
work-dir: infra/app
diff: true
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
ARM_USE_OIDC: true
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
```
### Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Since this looks like it's related to Azure Native auth, I'm going to transfer it over to that repo for further triage.
Hi @Arttii, sorry you're running into trouble here. It seems as if ARM_USE_OIDC: true has no effect but I cannot see why. Two thoughts:
- I'm not sure what purpose the
azure/loginstep serves in your workflow. You don't need it for Pulumi. Can you try removing it? - I can't see how the
ContainerAppresource could be influencing this because the error happens at startup of the provider, before any resources are processed. Can you double-check it's the only difference between failing and successful configuration? Are you able to share a Pulumi program that reproduces the issue?
