OIDC auth not working for GitLab #2609

Closed worldofgeese closed 1 year ago

What happened?

The Azure Native OIDC docs page give instructions for GitHub to Azure OIDC as if they were Git forge agnostic. Following its instructions for GitLab and setting the following environment variables results in auth error:

 error: rpc error: code = Unknown desc = invocation of azure-native:authorization:getClientConfig returned an error: OIDC authentication was requested via useOidc/ARM_USE_OIDC but no token and/or request URL were configured.

ARM_OIDC_REQUEST_TOKEN is a GitHub Actions specific variable. For other CI systems, users need to use ARM_OIDC_TOKEN.See also this GitHub issue and and Pulumi's own docs page for AzAPI. If I remove the GitHub Actions specific variables, ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_URL, then set ARM_OIDC_TOKEN I still run into errors:

 error: rpc error: code = Unknown desc = invocation of azure-native:authorization:getClientConfig returned an error: OIDC authentication was requested via useOidc/ARM_USE_OIDC but no token and/or request URL were configured.

I have verified I can log in independently to Azure in my GitLab CI step using GitLab's native OIDC token fetching:

image: gardendev/garden-azure:0.13.9-alpine-rootless

run-garden:
  stage: build
  id_tokens:
    ARM_OIDC_TOKEN
      aud: https://gitlab.hansen.agency
  script:
    - az login --service-principal -u $ARM_CLIENT_ID -t $ARM_TENANT_ID --federated-token $ARM_OIDC_TOKEN
    - garden workflow my-workflow --env=ci

Expected Behavior

Pulumi's docs should provide Git forge agnostic doucmentation on setting up OIDC. OIDC should work without an az login pre-step. Azure Native OIDC should not attempt to use GitHub-specific functions when operating on other forges like GitLab, etc.

Steps to reproduce

A reproducible Pulumi example is available here.

Output of `pulumi about`

garden tools pulumi.pulumi-3-70-0 -- about
CLI          
Version      3.70.0
Go Version   go1.20.4
Go Compiler  gc

Plugins
NAME  VERSION
yaml  unknown

Host     
OS       clear-linux-os
Version  1
Arch     x86_64

This project is written in yaml

Current Stack: worldofgeese/azure-yaml/ci

Found no resources associated with ci

Found no pending operations associated with ci

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/worldofgeese
User           worldofgeese
Organizations  worldofgeese

No dependencies found

Additional context

Logging in with az login is unexpectedly a pre-condition for getting this far, else I receive a different auth error:

                  type: runtime
                  stack: |-
                    Error: Error when applying pulumi stack:
                    Previewing update (ci)
                    View Live: https://app.pulumi.com/worldofgeese/azure-yaml/ci/previews/38c53092-5802-4cbf-9813-637ac7b603aa
                     +  pulumi:pulumi:Stack azure-yaml-ci create 
                    @ Previewing update...............
                        pulumi:providers:azuread default  error: rpc error: code = Unknown desc = failed to load Azure credentials.
                     +  pulumi:pulumi:Stack azure-yaml-ci create 
                        pulumi:providers:azuread default  1 error
                    Diagnostics:
                      pulumi:providers:azuread (default):
                        error: rpc error: code = Unknown desc = failed to load Azure credentials.
                        Details: could not configure AzureCli Authorizer: obtaining subscription ID: running Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.

                            Please make sure you have signed in via 'az login' or configured another authentication method.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Hi @worldofgeese! ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_URL are not GitHub-specific, they are the variables to configure for other providers like GitLab.

supply the provider with an ID token and a URL to use for exchange. In GitHub, we don’t need to configure this since GitHub sets the relevant environment variables ACTIONS_ID_TOKEN_REQUEST_TOKEN and ACTIONS_ID_TOKEN_REQUEST_URL by default and the provider reads them. In other scenarios, set the Pulumi configuration azure-native:oidcRequestToken or environment variable ARM_OIDC_REQUEST_TOKEN for the token, and configuration azure-native:oidcRequestUrl or environment variable ARM_OIDC_REQUEST_URL for the URL.

Can you try setting ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_URL with the GitLab values?

@thomas11 thanks for taking a look! I see I made a mistake in my issue report: the first error was intended to show the result of running with ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_URL set:

fn::invoke:
function: azure-native:authorization:getClientConfig
return: tenantId
ℹ Error registering variable [tenantId]: no diagnostics
Error registering resource [keyVault]: no diagnostics
Error registering resource [civoFirewall]: no diagnostics
   error: Error registering resource [kubernetesSecret]: no diagnostics
        * building client: unable to obtain access token: githubAssertion: cannot unmarshal response: invalid character '<' looking for beginning of value

Hi @worldofgeese! ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_URL are not GitHub-specific, they are the variables to configure for other providers like GitLab.

I don't believe this to be correct. Notice the error above appears to make use of a githubAssertion.

ARM_OIDC_REQUEST_TOKEN is a GitHub Actions specific variable. For other CI systems, users need to use ARM_OIDC_TOKEN.See also https://github.com/hashicorp/terraform-provider-azurerm/issues/16901 and and Pulumi's own docs page for AzAPI. If I remove the GitHub Actions specific variables, ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_URL, then set ARM_OIDC_TOKEN I still run into errors:

If you haven't already, do you mind reading my linked sources? They corroborate my findings.

Hi @worldofgeese! ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_URL are what we have documented for non-GitHub scenarios.

This GH page documents how ACTIONS_ID_TOKEN_REQUEST_TOKEN is the special pre-defined variable for GitHub's token.

The Pulumi provider checks both, in order:

    if useOIDC {
        oidcRequestToken = k.getConfig("oidcRequestToken", "ARM_OIDC_REQUEST_TOKEN")
        if oidcRequestToken == "" {
            // The ACTIONS_ variables are set by GitHub.
            oidcRequestToken = k.getConfig("oidcRequestToken", "ACTIONS_ID_TOKEN_REQUEST_TOKEN")
        }

@thomas11 if Pulumi's documentation is correct and Pulumi just happens to use the exact same variable names that are used by Terraform to indicate tokens that are consumed by GitHub Actions exclusively, then I suggest working together to identify the cause of errors encountered using either the set of ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_URL or the singular variable, ARM_OIDC_TOKEN. Happy to continue debugging but I need help because I haven't been able to square it after a solid day's work on it.

I'm including a screenshot of Terraform's own docs here. I do find it mighty strange that they are using ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_URL here to indicate variables consumed by GitHub Actions.

Hi @worldofgeese, since this is about the Azure Native provider, Terraform is not used at all. Of course, we still try to avoid conflicting variable names.

The confusion here comes from the fact that both ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_TOKEN exist, in both Terraform and Pulumi. They are different tokens (both described in the TF docs as well).

ARM_OIDC_TOKEN is the ID token that is used to authenticate to Azure (or some other service).
ARM_OIDC_REQUEST_TOKEN is the token that the CI platform, like GitHub, provides to be exchanged at the OIDC provider (Azure) for an Azure token. ARM_OIDC_REQUEST_URL is where the token exchange happens.

In the general case of CI like GitHub or GitLab, you wouldn't use ARM_OIDC_TOKEN since you don't have an ID token yet. You'd use ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_URL to configure the token exchange. As a shortcut, you don't need to configure those on GitHub because the provider checks for GitHub's pre-set variables.

@thomas11 in https://github.com/pulumi/pulumi-azure-native/issues/2609#issuecomment-1653713023 I provide logs when using variables ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_URL. Any suggestions for next steps or further details I can provide?

In the scenario your logs are from, what did you set ARM_OIDC_REQUEST_TOKEN and ARM_OIDC_REQUEST_URL to?

Unfortunately, the logs are not very detailed. You could try increasing verbosity.

TBH I'm having trouble matching GitLab's OIDC documentation to Azure's and GitHub's. Based on https://docs.gitlab.com/ee/integration/openid_connect_provider.html -> https://gitlab.com/.well-known/openid-configuration, ARM_OIDC_REQUEST_URL should probably be "https://gitlab.com/oauth/token". I'm not sure where to get the token from, though.

I see a similar error message, when using OIDC for Pulumi ESC.

This is my environment

values:
  azure:
    login:
      fn::open::azure-login:
        clientId: x
        tenantId: y
        subscriptionId: /subscriptions/z 
        oidc: true
  environmentVariables:
    ARM_CLIENT_ID: ${azure.login.clientId}
    ARM_TENANT_ID: ${azure.login.tenantId}
    ARM_USE_OIDC: "true"
    ARM_OIDC_REQUEST_TOKEN: ${azure.login.oidc.token}
    ARM_SUBSCRIPTION_ID: /subscriptions/z
    ARM_OIDC_REQUEST_URL: https://api.pulumi.com/oidc
    ARM_SKIP_CREDENTIALS_VALIDATION: "true"

When calling pulumi up i get following error message:

Original Error: githubAssertion: received HTTP status 404 with response: 404 page not found

Extended logs look like this:


  Type                                     Name                      Status              Info
  pulumi:pulumi:Stack                      minecraft-pulumi-esc-dev  running.            debug: 2023/10/12 18:38:54 Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant x
  +   └─ azure-native:resources:ResourceGroup  resourceGroup             creating (452s).
  I1012 18:46:26.437589    9674 log.go:81] provider received rpc error `Unknown`: `autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: githubAssertion: received HTTP status 404 with response: 404 page not found
                                                                                                                                                                                    `
                                                                                                                                                                                    I1012 18:46:26.437765    9674 log.go:81] rpc error kind `Unknown` may not be recoverable
                                                                                                                                                                                    I1012 18:46:26.437800    9674 log.go:81] Provider[azure-native, 0x14001460af0].Create(urn:pulumi:dev::minecraft-pulumi-esc::azure-native:resources:ResourceGroup::resourceGroup) failed: autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: githubAssertion: received HTTP status 404 with response: 404 page not found
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I1012 18:46:26.437871    9674 log.go:81] eventSink::Error(<{%reset%}>autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: githubAssertion: received HTTP status 404 with response: 404 page not found
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              <{%reset%}>)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I1012 18:46:26.438099    9674 log.go:81] SnapshotManager: createSnapshotMutation.End(..., false)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I1012 18:46:26.438142    9674 log.go:81] SnapshotManager.markOperationComplete(urn:pulumi:dev::minecraft-pulumi-esc::azure-native:resources:ResourceGroup::resourceGroup)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I1012 18:46:26.438827    9674 log.go:73] compressing payload using gzip
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                I1012 18:46:26.441084    9674 log.go:81] gzip compression ratio: 2.088608, original size: 990 bytes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              I1012 18:46:26.441161    9674 log.go:81] Making Pulumi API call: https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/checkpointverbatim
                                                                                                                                                                                    I1012 18:46:26.441262    9674 log.go:81] Pulumi API call details (https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/checkpointverbatim): headers=map[Accept:[application/vnd.pulumi+8] Accept-Encoding:[gzip] Authorization:[update-token eyJhbGciOiJIUzI1NiIsImtleSI6IkFBQUJBQUVDQXdCNHh5VXl0Vk0yakhGTThrNnV3TU5IQWI0cXZTOHhPNTE3N0hSL2ZsTEhJamtCVDJ4VVhLc1oxVmtiNmlEUmNHTlJoUUFBQUg0d2ZBWUpLb1pJaHZjTkFRY0dvRzh3YlFJQkFEQm9CZ2txaGtpRzl3MEJCd0V3SGdZSllJWklBV1VEQkFFdU1CRUVESXBMMWhwYXRXSGkwNlMyTlFJQkVJQTdoNnhvQnliNGl6TWI1eURldTI3MUdXZ3NRWW4yUCswaXZISnkyQmhGUkZrMTJLVkZCeWpYMDE0eXRYREdjV2V1T0Rlek56R2RRUE01Q0ljPSIsInR5cCI6IkpXVCJ9.eyJleHBpcmF0aW9uVGltZSI6MTY5NzEyOTM2OSwidXBkYXRlSUQiOiIyYmMwYzYxNS00NmQ3LTQ0MjAtYTMwYi1hNjA0NWUwMDM3ODcifQ.mavG2hNd2tjoqDsYPpW0ghtWCwOBXwM5Ne85YC7HNow] Content-Encoding:[gzip] Content-Type:[application/json] User-Agent:[pulumi-cli/1 (v3.88.1; darwin)]]; body={"version":3,"untypedDeployment":{"version":3,"deployment":{"manifest":{"time":"2023-10-12T18:46:26.438159+02:00","magic":"98eac21badaa7c46e96ea42e48b43fe4bc5fa1f5bbacecd79acdf6fc655eef54","version":"v3.88.1"},"secrets_providers":{"type":"service","state":{"url":"htt
                                                                                                                                                                   Type                                     Name                      Status                  Info
                                                                                                                                                                                  pulumi:pulumi:Stack                      minecraft-pulumi-esc-dev  running.                debug: 2023/10/12 18:38:54 Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant x
                                                                                   +   └─ azure-native:resources:ResourceGroup  resourceGroup             **creating failed**     error: autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: githubAssertion: received HTTP status 404 with response: 404 page
    I1012 18:46:27.287556    9674 log.go:73] compressing payload using gzip
  I1012 18:46:27.288456    9674 log.go:81] gzip compression ratio: 2.488414, original size: 1396 bytes
                                                                     I1012 18:46:27.288552    9674 log.go:81] Making Pulumi API call: https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/events/batch
                                                                     I1012 18:46:27.288637    9674 log.go:81] Pulumi API call details (https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/events/batch): headers=map[Accept:[application/vnd.pulumi+8] Accept-Encoding:[gzip] Authorization:[update-token eyJhbGciOiJIUzI1NiIsImtleSI6IkFBQUJBQUVDQXdCNHh5VXl0Vk0yakhGTThrNnV3TU5IQWI0cXZTOHhPNTE3N0hSL2ZsTEhJamtCVDJ4VVhLc1oxVmtiNmlEUmNHTlJoUUFBQUg0d2ZBWUpLb1pJaHZjTkFRY0dvRzh3YlFJQkFEQm9CZ2txaGtpRzl3MEJCd0V3SGdZSllJWklBV1VEQkFFdU1CRUVESXBMMWhwYXRXSGkwNlMyTlFJQkVJQTdoNnhvQnliNGl6TWI1eURldTI3MUdXZ3NRWW4yUCswaXZISnkyQmhGUkZrMTJLVkZCeWpYMDE0eXRYREdjV2V1T0Rlek56R2RRUE01Q0ljPSIsInR5cCI6IkpXVCJ9.eyJleHBpcmF0aW9uVGltZSI6MTY5NzEyOTM2OSwidXBkYXRlSUQiOiIyYmMwYzYxNS00NmQ3LTQ0MjAtYTMwYi1hNjA0NWUwMDM3ODcifQ.mavG2hNd2tjoqDsYPpW0ghtWCwOBXwM5Ne85YC7HNow] Content-Encoding:[gzip] Content-Type:[application/json] User-Agent:[pulumi-cli/1 (v3.88.1; darwin)]]; body={"events":[{"sequence":9,"timestamp":1697129187,"diagnosticEvent":{"urn":"urn:pulumi:dev::minecraft-pulumi-esc::azure-native:resources:ResourceGroup::resourceGroup","prefix":"\u003c{%fg 1%}\u003eerror: \u003c{%reset%}\u003e","message":"\u003c{%reset%}\u003eautorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: githubAssertion: received HTTP status 404 with response: 404 page not found\n\u003c{%reset%}\u003e\n","color":"raw","severity":"error"}},{"sequence":10,"timestamp":1697129187,"resOpFailedEvent":{"metadata":{"op":"create","urn":"urn:pulumi:dev::minecraft-pulumi-esc::azure-native:resources:ResourceGroup::resourceGroup","type":"azure-native:resources:ResourceG
    Type                                     Name                      Status                  Info
  pulumi:pulumi:Stack                      minecraft-pulumi-esc-dev  running..               debug: 2023/10/12 18:38:54 Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant x
  +   └─ azure-native:resources:ResourceGroup  resourceGroup             **creating failed**     error: autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: githubAssertion: received HTTP status 404 with response: 404 page
  I1012 18:46:27.324538    9674 log.go:81] Pulumi API call response code (https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/checkpointverbatim): 204 No Content
    I1012 18:46:27.324581    9674 log.go:81] Pulumi API call response body (https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/checkpointverbatim):
    I1012 18:46:27.324617    9674 log.go:81] StepExecutor worker(2): step create on urn:pulumi:dev::minecraft-pulumi-esc::azure-native:resources:ResourceGroup::resourceGroup failed with an error: autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: githubAssertion: received HTTP status 404 with response: 404 page not found
    I1012 18:46:27.324624    9674 log.go:81] StepExecutor worker(2): step create on urn:pulumi:dev::minecraft-pulumi-esc::azure-native:resources:ResourceGroup::resourceGroup failed, signalling cancellation
      I1012 18:46:27.324638    9674 log.go:81] deploymentExecutor.Execute(...): context finished: context canceled
      I1012 18:46:27.324643    9674 log.go:81] StepExecutor worker(-1): StepExecutor.waitForCompletion(): waiting for worker threads to exit
                                                                          I1012 18:46:27.324639    9674 log.go:81] StepExecutor worker(-2): worker exiting due to cancellation
      I1012 18:46:27.324655    9674 log.go:81] StepExecutor worker(-1): StepExecutor.waitForCompletion(): worker threads all exited
                                                                          I1012 18:46:27.324658    9674 log.go:81] deploymentExec
    Type                                     Name                      Status                  Info
    pulumi:pulumi:Stack                      minecraft-pulumi-esc-dev  running..               error: update failed
    +   └─ azure-native:resources:ResourceGroup  resourceGroup             **creating failed**     error: autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: githubAssertion: received HTTP status 404 with response: 404 page
  I1012 18:46:27.329716    9674 log.go:81] langhost[go].Run(pwd=/Users/dirien/trash-stacks/minecraft-pulumi-esc,program=.,...,dryrun=false) failed: err=error reading from server: read tcp 127.0.0.1:55834->127.0.0.1:55833: use of closed network connection
                                                                                                                                                                                     I1012 18:46:27.329734    9674 log.go:81] Explicitly ignoring and discarding error: rpc error: code = Canceled desc = grpc: the client connection is closing
                                                                                                                                                                                                                                                                                     I1012 18:46:27.330976    9674 log.go:81] EvalSourceIterator ended with an error: error reading from server: read tcp 127.0.0.1:55834->127.0.0.1:55833: use of closed network connection
                                                                                                                                                                                       Type                                     Name                      Status                  Info
                                                                                                                                                                                       pulumi:pulumi:Stack                      minecraft-pulumi-esc-dev  **failed**              1 error; 6 debugs
    I1012 18:46:27.331160    9674 log.go:73] compressing payload using gzip
    +   └─ azure-native:resources:ResourceGroup  resourceGroup             **creating failed**     1 error

  Diagnostics:
    pulumi:pulumi:Stack (minecraft-pulumi-esc-dev):
      debug: 2023/10/12 18:38:54 Testing if Service Principal / Client Certificate is applicable for Authentication..
      debug: 2023/10/12 18:38:54 Testing if Multi Tenant Service Principal / Client Secret is applicable for Authentication..
      debug: 2023/10/12 18:38:54 Testing if Service Principal / Client Secret is applicable for Authentication..
      debug: 2023/10/12 18:38:54 Testing if OIDC is applicable for Authentication..
      debug: 2023/10/12 18:38:54 Using OIDC for Authentication
      debug: 2023/10/12 18:38:54 Getting OAuth config for endpoint https://login.microsoftonline.com/ with  tenant x
      error: update failed
  I1012 18:46:27.331397    9674 log.go:81] gzip compression ratio: 1.512000, original size: 378 bytes

                                                                     azure-native:resources:ResourceGroup (resourceGroup):
                                                                       error: autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: githubAssertion: received HTTP status 404 with response: 404 page not found

  I1012 18:46:27.331911    9674 log.go:81] Making Pulumi API call: https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/events/batch
    Resources:
    1 unchanged

  Duration: 7m36s

  I1012 18:46:27.331927    9674 log.go:81] Pulumi API call details (https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/events/batch): headers=map[Accept:[application/vnd.pulumi+8] Accept-Encoding:[gzip] Authorization:[update-token eyJhbGciOiJIUzI1NiIsImtleSI6IkFBQUJBQUVDQXdCNHh5VXl0Vk0yakhGTThrNnV3TU5IQWI0cXZTOHhPNTE3N0hSL2ZsTEhJamtCVDJ4VVhLc1oxVmtiNmlEUmNHTlJoUUFBQUg0d2ZBWUpLb1pJaHZjTkFRY0dvRzh3YlFJQkFEQm9CZ2txaGtpRzl3MEJCd0V3SGdZSllJWklBV1VEQkFFdU1CRUVESXBMMWhwYXRXSGkwNlMyTlFJQkVJQTdoNnhvQnliNGl6TWI1eURldTI3MUdXZ3NRWW4yUCswaXZISnkyQmhGUkZrMTJLVkZCeWpYMDE0eXRYREdjV2V1T0Rlek56R2RRUE01Q0ljPSIsInR5cCI6IkpXVCJ9.eyJleHBpcmF0aW9uVGltZSI6MTY5NzEyOTM2OSwidXBkYXRlSUQiOiIyYmMwYzYxNS00NmQ3LTQ0MjAtYTMwYi1hNjA0NWUwMDM3ODcifQ.mavG2hNd2tjoqDsYPpW0ghtWCwOBXwM5Ne85YC7HNow] Content-Encoding:[gzip] Content-Type:[application/json] User-Agent:[pulumi-cli/1 (v3.88.1; darwin)]]; body={"events":[{"sequence":11,"timestamp":1697129187,"diagnosticEvent":{"prefix":"\u003c{%fg 1%}\u003eerror: \u003c{%reset%}\u003e","message":"\u003c{%reset%}\u003eupdate failed\u003c{%reset%}\u003e\n","color":"raw","severity":"error"}},{"sequence":12,"timestamp":1697129187,"summaryEvent":{"maybeCorrupt":true,"durationSeconds":455,"resourceChanges":{"same":1},"PolicyPacks":{}}}]}
  I1012 18:46:27.510183    9674 log.go:81] Pulumi API call response code (https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/events/batch): 200 OK
  I1012 18:46:27.510282    9674 log.go:81] Pulumi API call response body (https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/events/batch): {"code":200,"message":""}
  I1012 18:46:27.547243    9674 log.go:81] Pulumi API call response code (https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/events/batch): 200 OK
  I1012 18:46:27.547479    9674 log.go:81] Pulumi API call response body (https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/events/batch): {"code":200,"message":""}
  I1012 18:46:27.548027    9674 log.go:81] Making Pulumi API call: https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/complete
  I1012 18:46:27.548076    9674 log.go:81] Pulumi API call details (https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/complete): headers=map[Accept:[application/vnd.pulumi+8] Accept-Encoding:[gzip] Authorization:[update-token eyJhbGciOiJIUzI1NiIsImtleSI6IkFBQUJBQUVDQXdCNHh5VXl0Vk0yakhGTThrNnV3TU5IQWI0cXZTOHhPNTE3N0hSL2ZsTEhJamtCVDJ4VVhLc1oxVmtiNmlEUmNHTlJoUUFBQUg0d2ZBWUpLb1pJaHZjTkFRY0dvRzh3YlFJQkFEQm9CZ2txaGtpRzl3MEJCd0V3SGdZSllJWklBV1VEQkFFdU1CRUVESXBMMWhwYXRXSGkwNlMyTlFJQkVJQTdoNnhvQnliNGl6TWI1eURldTI3MUdXZ3NRWW4yUCswaXZISnkyQmhGUkZrMTJLVkZCeWpYMDE0eXRYREdjV2V1T0Rlek56R2RRUE01Q0ljPSIsInR5cCI6IkpXVCJ9.eyJleHBpcmF0aW9uVGltZSI6MTY5NzEyOTM2OSwidXBkYXRlSUQiOiIyYmMwYzYxNS00NmQ3LTQ0MjAtYTMwYi1hNjA0NWUwMDM3ODcifQ.mavG2hNd2tjoqDsYPpW0ghtWCwOBXwM5Ne85YC7HNow] Content-Type:[application/json] User-Agent:[pulumi-cli/1 (v3.88.1; darwin)]]; body={"status":"failed"}
  I1012 18:46:27.814708    9674 log.go:81] Pulumi API call response code (https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/complete): 204 No Content
  I1012 18:46:27.814828    9674 log.go:81] Pulumi API call response body (https://api.pulumi.com/api/stacks/dirien/minecraft-pulumi-esc/dev/update/2bc0c615-46d7-4420-a30b-a6045e003787/complete):

@dirien is this on GitLab as well? If not, let's keep a separate issue for your problem.

What is the e2e scenario you're trying to accomplish?

pulumi / pulumi-azure-native