New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running pulumi up
sends an incorrect subject identifier to Providers
#14509
Comments
This is semi-intentional. The reason that So in essence this is working as intended, though I agree that it's surprising when there's only a single listed environment. |
I'm not sure I totally follow this, but it seems like the |
Although this issue mentions azure Specifically I have just encountered this same issue for AWS also. Might be worth expanding the subject to say this is a problem on all providers? I expect fixing one will fix them all? Or do you want separate issues? We may also want to add the same caveat to the AWS OIDC Docs until resolved: From my understanding of the intent of using RBAC with Teams to control access to Environments I agree with @MitchellGerdisch - Feels like the Environment sent in the OIDC Subject claim should be equal to the source environment that the OIDC credentials are declared in (Even when merged / imported into other environments). This would then allow us to be able to ensure the OIDC token can only be used by people / tokens that have been given access to that source environment on pulumi cloud! For now I am going to have to allow the @pierskarsenbarg - Just giving a reference that we have encountered this issue also if there is any help you can input in getting to a resolution 🙂 |
As mentioned in [this issue](pulumi/pulumi#14509) both AWS and Azure currently send a subject claim ending in <yaml> rather then the actual environment name being used when utilising environments in IaC config. This adds a warning until this is resolved.
pulumi up
sends an incorrect subject identifier to Azurepulumi up
sends an incorrect subject identifier to Providers
I hit this issue last night with GCP as the Provider. To get GCP + ESC to work I added IAM principals with the For a Pulumi stack config yaml file: For the Pulumi Cloud ESC editor: (I replaced actual values with dummies) |
As mentioned in [this issue](pulumi/pulumi#14509) both AWS and Azure currently send a subject claim ending in <yaml> rather then the actual environment name being used when utilising environments in IaC config. This adds a warning until this is resolved.
What happened?
Related to this issue.
After configuring Pulumi ESC to work with Azure and Pulumi IaC, I tried to run the
pulumi up
command to have my Azure resources deployed and ran into the following error:Somewhere in this OIDC workflow,
pulumi:environments:org:pulumi:env:<yaml>
is being sent as the subject identifier rather than the one that includes the name of my ESC environment.Example
pulumi new azure-python
)pulumi up -y
Output of
pulumi about
Additional context
When I add
pulumi:environments:org:pulumi:env:<yaml>
as the subject identifier to Azure, the workflow deploys successfully.Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: