search

pulumi / actions

Deploy continuously to your cloud of choice, using your favorite language, Pulumi, and GitHub!
Apache License 2.0
251 stars 73 forks source link

Unable to login into GCP backend combined with WIF #739

Closed dongqiaoyang closed 1 year ago

dongqiaoyang commented 1 year ago

What happened?

Unable to login into the GCP backend using the git actions combined with WIF.

Steps to reproduce

jobs:
  builder:
    runs-on: ubuntu-latest
    permissions:
      contents: "write"
      pull-requests: "write"
      id-token: "write"
    steps:
      - uses: "actions/checkout@v3"
        with:
          fetch-depth: 2
      - name: Authenticate to Google using WIF
        id: auth
        uses: google-github-actions/auth@v0
        with:
          workload_identity_provider: ${{ secrets.CDO_WORKLOAD_IDENTITY_PROVIDER_GCP }}
          service_account: "cicd-service-account@${{ env.PROJECT_ID }}.iam.gserviceaccount.com"
          project_id: ${{ env.PROJECT_ID }}
          token_format: "access_token"
      - uses: google-github-actions/setup-gcloud@v0
        with:
          # service_account_key: ${{ secrets.GCP_KEY }}
          project_id: ${{ env.PROJECT_ID }}
          export_default_credentials: true
      - uses: pulumi/actions@v3
        with:
          command: preview
          stack-name: mgates
          cloud-url: gs://repo
        env:
          GOOGLE_CREDENTIALS: ${{ steps.auth.outputs.access_token }}

Expected Behavior

Login into the gcp backend and execute preview

Actual Behavior

 stderr: Command failed with exit code 255: pulumi stack select mgates --non-interactive
error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions
 err?: Error: Command failed with exit code 255: pulumi stack select mgates --non-interactive
error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions

Output of pulumi about

No response

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Frassle commented 1 year ago

Just to check did the action print "Logging into gs://repo"?

dongqiaoyang commented 1 year ago

No it does not, it just prints out

tderr: Command failed with exit code 255: pulumi stack select mgates --non-interactive error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions err?: Error: Command failed with exit code 255: pulumi stack select mgates --non-interactive error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions

Frassle commented 1 year ago

OK thanks, I think we're missing some error checks for if the login itself was successful or not. I'll double check that and if so see about getting in a fix and tagging a new release.

dongqiaoyang commented 1 year ago

For now, is there any tips on how to get this to work? @Frassle

Frassle commented 1 year ago

Change the action to install pulumi cli (There's an action pulumi/action-install-pulumi-cli@v2 to do that) and just run "pulumi login gs://repo" to see if that works. I think it will error, but hopefully print out why.

simenandre commented 1 year ago

I'm testing this on my end as well, I'll update when I know more.

dongqiaoyang commented 1 year ago

yes when I install the cli and does pulumi login, it works totally fine.

simenandre commented 1 year ago

@dongqiaoyang Are you running your workflow with debug logging turned on?

Login information is currently only visible when debug logging is turned on (changed in #744)

simenandre commented 1 year ago

Still might be issues like @Frassle state; not sure we're handling errors here. We should probably add a test for that.

simenandre commented 1 year ago

@dongqiaoyang maybe you can try to run gsutil ls gs://repo to validate that you're authenticated?

- run: gsutil ls gs://repo

edit: gsutil is not supported by Workload Identity Federation, so testing with gsutil will not work.

dongqiaoyang commented 1 year ago

If that can help.

Run pulumi/actions@v3 with: command: preview stack-name: mgates cloud-url: gs://pulumi-state-cto-datahub-bi-np-d032f1/stacks/mgates work-dir: ./ comment-on-pr: false github-token: *** parallel: 2147483647 target-dependents: false refresh: false upsert: false edit-pr-comment: true pulumi-version: ^3 color: auto env: PROJECT_ID: cto-datahub-bi-np-d032f1 GITHUB_NAME: tf-infra-cto-datahub-bi Configured range: ^3 Matched version: v3.41.1 Install destination is /home/runner/.pulumi Successfully deleted pre-existing /home/runner/.pulumi/bin /usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/.pulumi -f /home/runner/work/_temp/c42c8b68-fdc5-4421-b5d1-276f89ad27bf Error: code: -2 stdout: stderr: Command failed with exit code 255: pulumi stack select mgates --non-interactive error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions err?: Error: Command failed with exit code 255: pulumi stack select mgates --non-interactive error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions

simenandre commented 1 year ago

Can you try to run with pulumi/actions@master once and share the same output?

dongqiaoyang commented 1 year ago

@cobraz it works with master. I was able to see the logs and set PULUMI_CONFIG_PASSPHRASE as env var.

dongqiaoyang commented 1 year ago

@cobraz Side question, does the git action support pulumi preview --policy-pack?

simenandre commented 1 year ago

@cobraz Side question, does the git action support pulumi preview --policy-pack?

AFAIK, yes 👍

Check the README for policyPack. Im currently on mobile whilst traveling, so not that easy to check/send you a reference or example

dongqiaoyang commented 1 year ago

@cobraz where is policyPack located? I can't find it. Thank you very much for your help.