Credentials required to be in two different places?

[fabiomilheiro]

I'm trying to set up IaC via Pulumi.

One of the challenges is to set up appropriate permissions.

So I needed to get an Azure AD group object id:

var group = Output.Create(
    GetGroup.InvokeAsync(
        new GetGroupArgs
        {
            Name = "Administrators"
        }));

However, I got the following error:

PS C:\dev\___> pulumi preview
Previewing update (dev):
     Type                 Name          Plan     Info
     pulumi:pulumi:Stack  Frontend-dev           1 error

Diagnostics:
  pulumi:pulumi:Stack (Frontend-dev):
    error: Running program 'C:\dev\___\bin\Debug\netcoreapp3.1\Frontend.dll' failed with an unhandled exception:
    Grpc.Core.RpcException: Status(StatusCode=Unknown, Detail="invocation of azuread:index/getGroup:getGroup returned an error: Error building AzureAD Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).

    To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
    auth method - instructions for which can be found here: (THERE IS NO LINK HERE)

    Alternatively you can authenticate using the Azure CLI by using a User Account.")
       at Pulumi.GrpcMonitor.InvokeAsync(InvokeRequest request)
       at Pulumi.Deployment.InvokeAsync[T](String token, InvokeArgs args, InvokeOptions options, Boolean convertResult)
       at Pulumi.Output`1.ApplyHelperAsync[U](Task`1 dataTask, Func`2 func)
       at Pulumi.Output`1.Pulumi.IOutput.GetDataAsync()
       at Pulumi.Serialization.Serializer.SerializeAsync(String ctx, Object prop)
       at Pulumi.Deployment.SerializeFilteredPropertiesAsync(String label, IDictionary`2 args, Predicate`1 acceptKey)
       at Pulumi.Deployment.SerializeAllPropertiesAsync(String label, IDictionary`2 args)
       at Pulumi.Deployment.RegisterResourceOutputsAsync(Resource resource, Output`1 outputs)
       at Pulumi.Deployment.Runner.WhileRunningAsync()

There's no link where it was supposed to be.

Somewhere in the documentation, we're asked to put the credentials in the Pulumi.<stack>.yml via pulumi config set commands which led me to believe that that should be enough.

However, it seems to me now that we must have the credentials also set up as environment variables.

In powershell, you may type the following:

$env:ARM_CLIENT_ID="0000000000000000000000000"
$env:ARM_CLIENT_SECRET="0000000000000000000000000"
$env:ARM_TENANT_ID="0000000000000000000000000"
$env:ARM_SUBSCRIPTION_ID="0000000000000000000000000"

After doing that, my Pulumi stack was able to retrieve the Azure AD group object id successfully.

Could this be sorted please? Is it expected that we duplicate the credentials or is there a better way?

Original question:
https://stackoverflow.com/questions/62259552/how-to-get-group-in-azure-ad-in-pulumi/62263761#62263761

[leezen]

You only need either the environment variables or variables setup in your config. Please see https://www.pulumi.com/docs/intro/cloud-providers/azure/setup/ which describes the configuration.

[fabiomilheiro]

Hi @leezen,

Thank you for your response.

I have the credentials in my config Pulumi.dev.yml which were added as follows:

pulumi config set azure:clientId "00000000000000000000000"
pulumi config set azure:clientSecret "00000000000000000000000" --secret
pulumi config set azure:tenantId "00000000000000000000000"
pulumi config set azure:subscriptionId "00000000000000000000000"

The thing that's bugging me is that the service principal credentials are initially recognized by pulumi as I can see in the debug entries. Running:

$ pulumi preview --debug

Presents us with the following:

Line 55.
debug: 2020/06/09 10:31:16 Testing if Service Principal / Client Certificate is applicable for Authentication..
debug: 2020/06/09 10:31:16 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:16 Testing if Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:16 Using Service Principal / Client Secret for Authentication
debug: 2020/06/09 10:31:16 Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant....

^^^ This shows that the service principal and the client secret configs were recognized.

Line 94.
debug: 2020/06/09 10:31:17 Testing if Service Principal / Client Certificate is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Managed Service Identity is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Obtaining a token from the Azure CLI is applicable for Authentication..
debug: 2020/06/09 10:31:17 Using Obtaining a token from the Azure CLI for Authentication

^^^ And then Pulumi forgets about the service principal...

And, at the end, it's as if the service principal crendentials were never presented.

Grpc.Core.RpcException: Status(StatusCode=Unknown, Detail="invocation of azuread:index/getGroup:getGroup returned an error: Error building AzureAD Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).

    To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
    auth method - instructions for which can be found here: **** There's no link presented here.

    Alternatively you can authenticate using the Azure CLI by using a User Account.")

However, adding the service principal credentials as environment variables worked.

This has forced me to place the credentials in two places. The Pulumi.dev.yml and the environment variables. Not ideal.

After several hours on this, it seems that possibly the feedback to help the devops may be improved in some way to help us get to the source of the problem faster.

Can you help with this please?

Thanks