-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use different ACCESS_TOKENS for different Stacks #483
Comments
Hi @breuerfelix thanks for raising this issue with us. I've escalated this internally to investigate further. |
The root cause of the issue seems to be that the Pulumi CLI gives lower priority to See: pulumi/pulumi#13919 |
<!--Thanks for your contribution. See [CONTRIBUTING](CONTRIBUTING.md) for Pulumi's contribution guidelines. Help us merge your changes more quickly by adding more details such as labels, milestones, and reviewers.--> ### Proposed changes Closes #483 This PR seeks to isolate the credentials associated with a given `Stack`, to solve the problem of credentials leaking across stacks. Some underlying details here: 1. Pulumi CLI stores login credentials in PULUMI_HOME (e.g. `~/.pulumi/credentials.json`). 2. A side-effect of using `PULUMI_ACCESS_TOKEN` is that the CLI login credentials are set. 4. Pulumi CLI prefers the persisted login credentials to `PULUMI_ACCESS_TOKEN`. This PR takes the conservative approach of encapsulating the PULUMI_HOME into a per-stack working directory, as opposed to reusing `~/.pulumi` across stacks. The working directory is retained across reconciliation passes, and cleaned up during stack finalization. Note that the _workspace_ directory is erased at the end of each reconciliation pass, as is the current behavior. This PR does NOT solve the (lack of) mutability of `PULUMI_ACCESS_TOKEN` across stack updates. _Note that this PR contains some commits (related to hacking on the operator) that will be moved to a separate PR._ ### Technical Details Relevant terminology used within the controller codebase: - **root directory** - a temporary directory for each stack, retained until finalization - **home directory** - the `PULUMI_HOME` directory, located within the stack's root directory - **workspace directory** - the Pulumi workspace directory containing the program and stack configuration. The current behavior of the operator is to erase the workspace directory on each reconciliation pass, e.g. to ensure a clean git checkout. This PR retains this behavior while keeping the home directory across passes, e.g. to reuse the providers. ### Related issues (optional) - pulumi/pulumi#13919
Are you going to release a new Version soon? Since may there has only been one new Github Tag and i really wanna rollout these new changes in order to get my cluster functioning again. BTW thanks for the fix! |
What happened?
I set up 2 Stacks with 2 different Stack Resources. I used EnvRefs to specify my Pulumi Access Token:
I also tried setting the token via SecretRef
If i got only one Stack or if i can access all Stacks with the same token, it works perfectly fine. If i have two Stacks that need two different Access Tokens, it does not work anymore.
It always uses the Token from the first Stack it runs (after restarting the pod), and keeps using it for all Stacks it processes. It errors with "Organisation not found" and if i have a look at the "wrong" organisation, it tried to create the Stack in the wrong org because it havent found it there. Even though i specified the correct Tokens in each Stack Resource.
Expected Behavior
Use the correct Token.
Steps to reproduce
Create Resources as described.
Output of
pulumi about
I run version 1.13.0.
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: