Closed tfreundo closed 3 years ago
emiliza
commented
3 years ago Seems like a possible issue for pulumi-az-pipelines-task or possibly just a configuration error. Could you also provide context on other environment variables you're setting?
tfreundo
commented
3 years ago Thanks for the fast reply.
Sorry I should have mentioned that I use the manual approach of using pulumi with Azure DevOps and I use an Azure Blob Storage as state backend.
It seems to be an issue when I use a service principal in combination with the below Azure DevOps task.
Therefore after the setup incl. installation of pulumi, I use the following bash task to do the pulumi up:
- task: Bash@3
inputs:
targetType: 'inline'
script: |
pulumi stack select ${{ parameters.stage }}
pulumi up --skip-preview --non-interactive --yes
workingDirectory: ${{ variables.infrastructureFolder }}
displayName: 'Pulumi up (China)'
env:
AZURE_STORAGE_SAS_TOKEN: $(AZURE_STORAGE_SAS_TOKEN)
PULUMI_CONFIG_PASSPHRASE: $(PULUMI_CONFIG_PASSPHRASE)
ARM_ENVIRONMENT: $(ARM_ENVIRONMENT_CHINA)
ARM_SUBSCRIPTION_ID: $(ARM_SUBSCRIPTION_ID_CHINA)
ARM_CLIENT_ID: $(ARM_CLIENT_ID_CHINA)
ARM_CLIENT_SECRET: $(ARM_CLIENT_SECRET_CHINA)
ARM_TENANT_ID: $(ARM_TENANT_ID_CHINA)I also played around with additional env variables like AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, ... but that didn't quite work out.
tfreundo
commented
3 years ago @emiliza maybe you have to move this issue again as I do not use pulumi-az-pipelines-task
tfreundo
commented
3 years ago Any updates on this?
tfreundo
commented
3 years ago We just found the issue, we accidentally have overwritten the env vars in the pipeline. Therefore my fault, closing the issue.
I have a pulumi stack that I deploy to AzureCloud and AzureChinaCloud. This works fine from my local machine using my own user. Afterwards I automated it using an Azure DevOps Pipeline (using a Service Principal) which again works fine for AzureCloud but does not work for AzureChinaCloud.
I have set the environment to AzureChinaCloud through the environment variable
ARM_ENVIRONMENTwith valuechinaas described in the pulumi documentation.In my example I simply deploy a resourceGroup from the pulumi azure-native package.
The
pulumi previewstep seems to use another endpoint than thepulumi upstep.Excerpt from pulumi preview logs:
AzureRM Response for https://management.chinacloudapi.cn/subscriptions/***/providers?api-version=2016-02-01:and
{"token_type":"Bearer","expires_in":"3599","ext_expires_in":"3599","expires_on":"1630657514","not_before":"1630653614","resource":"https://management.chinacloudapi.cn/","access_token":"..."}--> successfully receives a token as it uses the
chinacloudapi.cnendpointExcerpt from pulumi up logs:
azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/***/resourcegroups/***?api-version=2019-05-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"AADSTS90002: Tenant '***' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.\r\nTrace ID: ***\r\nCorrelation ID: ***\r\nTimestamp: 2021-09-03 07:25:28Z","error_codes":[90002],"timestamp":"2021-09-03 07:25:28Z","trace_id":"***","correlation_id":"***","error_uri":"***"} Endpoint https://login.microsoftonline.com/***/oauth2/token?api-version=1.0<{%reset%}>)--> Can't find the tenant, which makes sense as the subscriptionId I supply only lives in the AzureChinaCloud but not in the AzureCloud. --> does not receive a token as it uses the
azure.comendpointThis issue could maybe be related.
Steps to reproduce
ARM_ENVIRONMENTto valuechinaand use Service Principal credentialspulumi upExpected: Infrastructure is successfully deployed to AzureChinaCloud Actual: Exception
azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request(see log excerpt above)