actions icon indicating copy to clipboard operation
actions copied to clipboard
verified publisher icon pulumi

Error - "PULUMI_ACCESS_TOKEN must be set" even if cloud-url param was used

Open pawelryba-a4bee opened this issue 3 years ago • 5 comments

What happened?

I'm trying to add infrastructure check with PR comment during CI pipeline. For that, Pulumi/actions@v3 was used. Unfortunately, it returns errors:

stderr: error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions

Steps to reproduce

According to documentation, action with cloud-url was used. AWS credentials were set directly as env and with aws-actions/configure-aws-credentials@v1 - with same outcome.

 - uses: pulumi/actions@v3
   env:
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        AWS_REGION: ${{ secrets.AWS_REGION }}
        PULUMI_CONFIG_PASSPHRASE: ''
      with:
        command: preview
        stack-name: ${{ env.PULUMI_STACK }}
        comment-on-pr: true
        cloud-url: ${{ env.PULUMI_BUCKET }}
        pulumi-version: ${{ env.PULUMI_VERSION }}
        work-dir: infrastructure/backend

Expected Behavior

Pulumi is showing infrastructure changes during PR

Actual Behavior

Pipeline fails

Versions used

v3

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

pawelryba-a4bee avatar Aug 01 '22 08:08 pawelryba-a4bee

Hi @pr-a4bee, thank you for opening an issue!

To be sure - what is the value that you are trying to set cloud-url to? Are you trying to login to an S3 bucket?

mikhailshilkov avatar Aug 01 '22 16:08 mikhailshilkov

Yes, value was set to: s3://xxx-xxx. It works fine with custom pulumi login script.

pawelryba-a4bee avatar Aug 01 '22 16:08 pawelryba-a4bee

Hi @pr-a4bee I went ahead and attempted to reproduce this. I was able to reproduce the error message by introducing a typo in the line

   cloud-url: ${{ env.PULUMI_BUCKET }}

When PULUMI_BUCKET is set to an empty string, I get the error message PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions. Or, when PULUMI_BUCKET references an environment variable that doesn't exist, I get the same error.

When I set my values correctly, I was able to use cloud-url without as intended using the yml snippet you provided.

RobbieMcKinstry avatar Aug 10 '22 16:08 RobbieMcKinstry

Thanks for info, I’ll try to reproduce it once again. What’s interesting, I also tried to put bucket address directly (without using variables) - with same result.

pawelryba-a4bee avatar Aug 10 '22 18:08 pawelryba-a4bee

Huh, bizarre! Let me know how it goes! :D

RobbieMcKinstry avatar Aug 10 '22 22:08 RobbieMcKinstry

@pr-a4bee had the same problem and it cleared by adding

backend:
  url: s3://your-infra-bucket-here

to Pulumi.yaml

johnny-v-cdg avatar Aug 19 '22 09:08 johnny-v-cdg

Adding a backend to Pulumi.yaml did not help in my case. I have a hard-coded cloud-url: in the action config but it still fails with error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions

Update: My issue was caused because of a missing work-dir. For some reason the cli was trying to run in a non-pulumi environment and throwing this error causing some confusion on my end. It would be better if it warned about this is not a proper environment.

anacierdem avatar Aug 22 '22 14:08 anacierdem

I ran into this issue today. This is a totally misleading error message coming out of the pulumi CLI.

I solved it, and I'm documenting the steps I used to do so here in case it helps someone else.

  1. First I turned on GitHub Actions debugging messages. If you set a repo secret ACTIONS_STEP_DEBUG = true you will see lots of debugging (this is also a check-box option in the "Re-run jobs" dialog). When I did this I saw the following messages from Pulumi:
Logging into <your cloud-url>
Working directory resolved at <your working dir>

So authentication was not the problem. It got past that step.

  1. I decided to check for authorization problems (permissions). I inserted a step between authentication with my cloud provider, and doing pulumi, that attempted to access the bucket directly, e.g. for GCP:
  steps:
    # google-github-actions/auth@v0 step
    # google-github-actions/setup-gcloud@v0 step

    - name: "Attempt to access Pulumi state bucket directly"
      shell: bash
      run: gsutil ls gs://my-pulumi-state-bucket

    # pulumi/actions@v3 step

While my project appeared to be configured correctly, it turned out that the service account I was using didn't have sufficient access permissions to access the Pulumi state bucket, and I got an error message like this: AccessDeniedException: 403 [email protected] does not have storage.objects.list access to the Google Cloud Storage bucket.

It also didn't have sufficient permission to access the crypto keys required to access its secrets. After fixing these issues, everything worked.

sampierson avatar Aug 23 '22 00:08 sampierson

Adding a backend to Pulumi.yaml did not help in my case. I have a hard-coded cloud-url: in the action config but it still fails with error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions

Update: My issue was caused because of a missing work-dir. For some reason the cli was trying to run in a non-pulumi environment and throwing this error causing some confusion on my end. It would be better if it warned about this is not a proper environment.

I ran into this issue today: First, I used bash to run commands pulumi new to create the project and have the same error. But when I run it's with Ppowershell on Window and it have warning that you have to add --force So I add --force on the end of command lines and it works both on Bash and Powershell Hope Its can help.

tanhvnpd02584 avatar Apr 23 '23 16:04 tanhvnpd02584