Authenticate with Azure using service principle in Pulumi

Question

I have a Pulumi - program which works fine on my Dev-Machine. Configuarion is stored in Azure, also the Resources created are being stored in Azure.

To run this I set the following environment variables:

SET ARM_SUBSCRIPTION_ID=<id>

Locally I login to Azure using az login which then asks me for my credentials. After that I can use pulumi up to update changes in Azure. This all works without any issues.

Now I want to achieve the same thing in Azure Devops using a release-pipeline. I use the "Azure CLI"- Task with correctly configured ARM-Connection. The task contains pulumi up -s develop --yes (where "develop" is my pulumi-stack)

I can see in the logs that the Azure-login works as expected, but pulumi throws the following error: error:

Error building AzureRM Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal). To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal' auth method - instructions for which can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret

While the error is quite clear and even contains a url to a solution to solve this: This does not really help me because I do not use terraform directly but pulumi instead.

TL;DR: How do I confgure pulumi cli to use a service principal authentication with Azure?

score 3 · Accepted Answer · answered Feb 19 '21 at 13:27

3

There are two options to configure Pulumi to authenticate with a Service Principal:

Set the environment variables ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_TENANT_ID, and ARM_SUBSCRIPTION_ID, or

Set them using configuration

pulumi config set azure:clientId <clientID>
pulumi config set azure:clientSecret <clientSecret> --secret
pulumi config set azure:tenantId <tenantID>
pulumi config set azure:subscriptionId <subscriptionId>

Reference: Service Principal Authentication

answered Feb 19 '21 at 13:27

Mikhail Shilkov

34,128
3
68
107

#1 works for me but #2 gives me the following: error: building auth config: obtain subscription() from Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1 – Steven T. Cramer May 21 '21 at 18:51
This sounds like a broken token file of the Azure CLI... Try `az login` again? – Mikhail Shilkov May 21 '21 at 18:56
I am trying to do this with a SP in my CI... I will ask another question on SO. – Steven T. Cramer May 21 '21 at 19:17
Isn't there a way to do the same but from within the code instead of doing this from outside the app? – CesarD Sep 21 '22 at 13:27

y.v. · Answer 2 · 2023-01-12T21:39:24.543

0

If you are usign azure-native package instead of azure try azure-native. I.e.

pulumi config set azure-native:clientId <clientID>
pulumi config set azure-native:clientSecret <clientSecret> --secret
pulumi config set azure-native:tenantId <tenantID>
pulumi config set azure-native:subscriptionId <subscriptionId>

edited Jan 12 '23 at 21:39

answered Jan 12 '23 at 21:36

y.v.

1
2

Authenticate with Azure using service principle in Pulumi

2 Answers2