search

pulumi / pulumi-digitalocean

A DigitalOcean Pulumi resource package, providing multi-language access to DigitalOcean
Apache License 2.0
83 stars 13 forks source link

DO Token not being used for authentication #804

Closed starptr closed 2 months ago

starptr commented 2 months ago

Describe what happened

After my old DO token expired, I added a new DO API token via pulumi config set digitalocean:token XXX --secret, and confirmed that the token is necessary & correct by running

curl -X GET "https://api.digitalocean.com/v2/actions" \
    -H "Authorization: Bearer $DIGITALOCEAN_TOKEN"

before and after setting the token env variable. (The request fails before, and succeeds after.) However, running pulumi refresh keeps failing, with every error message looking like this:

  digitalocean:index:Droplet (nixie):
    error: Preview failed: refreshing urn:pulumi:dev::taco::digitalocean:index/droplet:Droplet::nixie: 1 error occurred:
        * Error retrieving droplet: GET https://api.digitalocean.com/v2/droplets/421967704: 401 (request "3848e22c-3a65-4446-a8c2-8395195b9dc2") Unable to authenticate you

Any pointers appreciated :)

(Interestingly, when I run pulumi config set digitalocean:token XXX --secret, I notice that an encrypted version of the token is added to Pulumi.dev.yaml, and calling pulumi config set … multiple times changes the string that is in Pulumi.dev.yaml. But it looks like this is expected behavior?)

Sample program

I will do this if needed to debug this :)

Log output

No response

Affected Resource(s)

No response

Output of pulumi about

CLI
Version      3.130.0
Go Version   go1.22.6
Go Compiler  gc

Plugins
KIND      NAME          VERSION
resource  digitalocean  4.31.0
language  python        unknown

Host
OS       darwin
Version  14.2.1
Arch     arm64

This project is written in python: executable='/Users/yuto/src/taco/src/venv/bin/python' version='3.12.3'

Current Stack: starptr/taco/dev

TYPE                                        URN
pulumi:pulumi:Stack                         urn:pulumi:dev::taco::pulumi:pulumi:Stack::taco-dev
pulumi:providers:digitalocean               urn:pulumi:dev::taco::pulumi:providers:digitalocean::default_4_30_2
digitalocean:index/tag:Tag                  urn:pulumi:dev::taco::digitalocean:index/tag:Tag::pulumi-taco
digitalocean:index/customImage:CustomImage  urn:pulumi:dev::taco::digitalocean:index/customImage:CustomImage::nixos-23_11-x86_64
digitalocean:index/customImage:CustomImage  urn:pulumi:dev::taco::digitalocean:index/customImage:CustomImage::nixos-yuto3
digitalocean:index/droplet:Droplet          urn:pulumi:dev::taco::digitalocean:index/droplet:Droplet::nixie
digitalocean:index/droplet:Droplet          urn:pulumi:dev::taco::digitalocean:index/droplet:Droplet::andref

Found no pending operations associated with dev

Backend
Name           pulumi.com
URL            https://app.pulumi.com/starptr
User           starptr
Organizations  starptr
Token type     personal

Dependencies:
NAME                 VERSION
mypy                 1.11.2
octodns-cloudflare   0.0.6
pip                  24.0
pulumi_digitalocean  4.31.0

Pulumi locates its logs in /var/folders/lx/_wdp60bj7f977bvl3mbl5kgr0000gn/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

iwahbe commented 2 months ago

Hi @starptr. pulumi refresh[^1] only uses your state file. It does not incorporate changes from your config file or your program. You will need to run pulumi up first to migrate the new token from your config to your state, then pulumi refresh will work.

[^1]: This is also true for pulumi destroy.

starptr commented 2 months ago

Hey @iwahbe, thanks for the response! Running pulumi up (specifically, not pulumi up --refresh) indeed looks like it is now using the new token. So I'm closing this issue. But now, I am confused about the "correct thing to do" whenever I want to sync up cloud resources with changes to either my config (eg. DO auth token) or program (eg. make a new Droplet). I thought I read somewhere that the best practice was to always sync the local Pulumi state with the true real-world state by running pulumi up --refresh (which is equivalent to pulumi refresh as I understand it) before pushing the actual changes config/program changes. I'm probably mistaken, but not sure what the correct mental model should be. Any helpful context & knowledge appreciated!