Service principal credentials in Pulumi.<stack>.yml are recognized but them dismissed

[fabiomilheiro]

Hi @leezen,

Thank you for your response in the previous in issue #81 but we created this new issue to get to the root of the problem.

I have the credentials in my config Pulumi.dev.yml which were added as follows:

pulumi config set azure:clientId "00000000000000000000000"
pulumi config set azure:clientSecret "00000000000000000000000" --secret
pulumi config set azure:tenantId "00000000000000000000000"
pulumi config set azure:subscriptionId "00000000000000000000000"

The thing that's bugging me is that the service principal credentials are initially recognized by pulumi as I can see in the debug entries. Running:

$ pulumi preview --debug

Presents us with the following:

Line 55.
debug: 2020/06/09 10:31:16 Testing if Service Principal / Client Certificate is applicable for Authentication..
debug: 2020/06/09 10:31:16 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:16 Testing if Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:16 Using Service Principal / Client Secret for Authentication
debug: 2020/06/09 10:31:16 Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant....

^^^ This shows that the service principal and the client secret configs were recognized.

Line 94.
debug: 2020/06/09 10:31:17 Testing if Service Principal / Client Certificate is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Service Principal / Client Secret is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Managed Service Identity is applicable for Authentication..
debug: 2020/06/09 10:31:17 Testing if Obtaining a token from the Azure CLI is applicable for Authentication..
debug: 2020/06/09 10:31:17 Using Obtaining a token from the Azure CLI for Authentication

^^^ And then Pulumi forgets about the service principal...

And, at the end, it's as if the service principal crendentials were never presented.

Grpc.Core.RpcException: Status(StatusCode=Unknown, Detail="invocation of azuread:index/getGroup:getGroup returned an error: Error building AzureAD Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).

    To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
    auth method - instructions for which can be found here: **** There's no link presented here.

    Alternatively you can authenticate using the Azure CLI by using a User Account.")

However, adding the service principal credentials as environment variables worked.

This has forced me to place the credentials in two places. The Pulumi.dev.yml and the environment variables. Not ideal.

After several hours on this, it seems that possibly the feedback to help the devops may be improved in some way to help us get to the source of the problem faster.

Can you help with this please?

Thanks

Originally posted by @fabiomilheiro in #81 (comment)

[fabiomilheiro]

And this is how my Pulumi.<stack>.yml file looks like:

config:
  azure:clientId: 000000000000000000000000
  azure:clientSecret:
    secure: 000000000000000000000000UXStv000000000000000XqZFM=
  azure:location: WestEurope
  azure:subscriptionId: 000000000000000000000000
  azure:tenantId: 000000000000000000000000

[leezen]

Ah -- I think this is totally my mistake and I didn't realize what repo I was reading when I commented on the previous issue. Because you're trying to configure the azuread provider, it's going to try to read the configuration from the azuread namespace in your config. However, in your above, you're configuring it in the azure namespace. Can you please try setting those and see if that fixes your issue?

[fabiomilheiro]

Yes, I just ad to add the same credentials using azuread namespace. Thanks!