-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Credentials required to be in two different places? #81
Comments
You only need either the environment variables or variables setup in your config. Please see https://www.pulumi.com/docs/intro/cloud-providers/azure/setup/ which describes the configuration. |
Hi @leezen, Thank you for your response. I have the credentials in my config pulumi config set azure:clientId "00000000000000000000000"
pulumi config set azure:clientSecret "00000000000000000000000" --secret
pulumi config set azure:tenantId "00000000000000000000000"
pulumi config set azure:subscriptionId "00000000000000000000000" The thing that's bugging me is that the service principal credentials are initially recognized by pulumi as I can see in the debug entries. Running: $ pulumi preview --debug Presents us with the following: Line 55.
debug: 2020/06/09 10:31:16 Testing if Service Principal / Client Certificate is applicable for Authentication..
debug: 2020/06/09 10:31:16 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:16 Testing if Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:16 Using Service Principal / Client Secret for Authentication
debug: 2020/06/09 10:31:16 Getting OAuth config for endpoint https://login.microsoftonline.com/ with tenant.... ^^^ This shows that the service principal and the client secret configs were recognized. Line 94.
debug: 2020/06/09 10:31:17 Testing if Service Principal / Client Certificate is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Managed Service Identity is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Obtaining a token from the Azure CLI is applicable for Authentication..
debug: 2020/06/09 10:31:17 Using Obtaining a token from the Azure CLI for Authentication ^^^ And then Pulumi forgets about the service principal... And, at the end, it's as if the service principal crendentials were never presented. Grpc.Core.RpcException: Status(StatusCode=Unknown, Detail="invocation of azuread:index/getGroup:getGroup returned an error: Error building AzureAD Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
auth method - instructions for which can be found here: **** There's no link presented here.
Alternatively you can authenticate using the Azure CLI by using a User Account.") However, adding the service principal credentials as environment variables worked. This has forced me to place the credentials in two places. The After several hours on this, it seems that possibly the feedback to help the devops may be improved in some way to help us get to the source of the problem faster. Can you help with this please? Thanks |
I'm trying to set up IaC via Pulumi.
One of the challenges is to set up appropriate permissions.
So I needed to get an Azure AD group object id:
However, I got the following error:
There's no link where it was supposed to be.
Somewhere in the documentation, we're asked to put the credentials in the
Pulumi.<stack>.yml
viapulumi config set
commands which led me to believe that that should be enough.However, it seems to me now that we must have the credentials also set up as environment variables.
In powershell, you may type the following:
After doing that, my Pulumi stack was able to retrieve the Azure AD group object id successfully.
Could this be sorted please? Is it expected that we duplicate the credentials or is there a better way?
Original question:
https://stackoverflow.com/questions/62259552/how-to-get-group-in-azure-ad-in-pulumi/62263761#62263761
The text was updated successfully, but these errors were encountered: