-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PULUMI_ACCESS_TOKEN must be set error when using azure blob as backend #1010
Comments
@dkezri I was talking to someone else about this yesterday. If you use I think this is still an issue so it should be left open for now, but that's at least a workaround for now |
I wonder if this is just an actions issue? It seems to work fine locally on the command line. |
Moved to the GH action repo |
I am using this configuration in my git hub action:
|
If you updated that and added - uses: pulumi/actions@v4
with:
command: up
github-token: ${{ secrets.GIT_ACCESS_TOKEN }}
stack-name: ${{ env.PULUMI_STACK_NAME }}
work-dir: ${{ env.PULUMI_WORK_DIR }}
cloud-url: azblob://${{ env.AZURE_CONTAINER_NAME }}
upsert: true
env:
ARM_USE_OIDC: true
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
PULUMI_BACKEND_URL: azblob://${{ env.AZURE_CONTAINER_NAME }} That should work |
@pierskarsenbarg Logging into azblob://pulumistatecontainerdev /home/runner/work/_actions/pulumi/actions/v4/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/errors.js:77 err?: Error: Command failed with exit code 255: pulumi stack select --stack dev --non-interactive |
Have you managed to get this working locally? This looks like incorrect auth tokens, but that should be simpler to verify locally than running through GHA. |
@Frassle this is only an github action issue, it works when i am using #PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} then it create state in pulumi backend and also creates new resources in Azure, my point is to used Azure blob as backend |
Yes, but what I'm asking is if you've managed to get it creating stacks in Azure on your local machine? That is if you try and
Does that login successfully? |
I think your access keys are invalid. Double check with the azure CLI as well, as something like |
@Frassle i get information about container: There are no credentials provided in your command and environment, we will query for account key for your storage account. You also can add In addition, setting the corresponding environment variables can avoid inputting credentials in your command. Please use --help to get more information about environment variable usage. |
Hitting the limits of what I can help with here, azure auth isn't something I've worked with much. |
Joining the discussion because I am hitting the same problem. I also suspect this is GA issue, because I have the same setup working locally with Pulumi. Locally, I do not use storage key or SAS token. I only use CLI login with RBAC and it works flawlessly. This is my workflow:
OIDC login with Azure CLI gives the correct permissions, identity is able to read all the necessary resources, but pulumi actions fails with error:
Identity has the same roles as my account |
I tried using the pulumi CLI in run steps and it seems it has the same authorization error. It must be related to OIDC authentication (federated credentials), because pulumi won't be able to read the blob storage, regardless of the assigned roles. For reference, the roles assigned to the identity are:
|
Looking into this a bit today, the error message "PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions" can only be hit if the CLI isn't in "filestate" mode. So somehow the backend information is getting lost. |
I had the same issue when used AWS S3 bucket as a backend, and I can confirm that setting $PULUMI_BACKEND_URL env variable resolved the problem for me. |
I fixed it by removing the step of automation using "./pulumi_azure_blob_setup.ps1" script from the github action.
|
What happened?
Hi,
I m trying to use azure blob as backend that is required by my organization, but i get error:
PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions
i have this environment variables
env:
AZCLI_VERSION: latest
AZURE_WRITE: false
DOTNET_VERSION: 7.0.x
AZURE_REGION: norwayeast
PULUMI_WORK_DIR: PulumiAzure
PULUMI_STACK_NAME: dev
DOTNET_ROOT: /usr/share/dotnet
AZURE_HTTP_USER_AGENT:
AZUREPS_HOST_ENVIRONMENT:
AZURE_STORAGE_ACCOUNT: pulumistateaccountdev
AZURE_CONTAINER_NAME: pulumistatecontainerdev
AZURE_STORAGE_KEY: rI/otrVwLuo0WrV+GUC7V5azr23RVc56AewKt5wv10SLDnXqpH4I**********
AZURE_STORAGE_SAS_TOKEN: se=.******************
ARM_USE_OIDC: true
ARM_CLIENT_ID: ***
ARM_TENANT_ID: ***
ARM_SUBSCRIPTION_ID: ***
Configured range: ^3
/opt/hostedtoolcache/pulumi/3.77.1/x64/pulumi version
v3.77.1
Pulumi version 3.77.1 is already installed on this machine. Skipping download
Logging into azblob://pulumistatecontainerdev
/home/runner/work/_actions/pulumi/actions/v4/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/errors.js:77
: new CommandError(result);
^
CommandError: code: -2
stdout:
stderr: Command failed with exit code 255: pulumi stack select --stack dev --non-interactive
error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions
err?: Error: Command failed with exit code 255: pulumi stack select --stack dev --non-interactive
error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions
Expected Behavior
the pulumi state is not created in azure blob
Steps to reproduce
i use github action with azure cli
Output of
pulumi about
Configured range: ^3
/opt/hostedtoolcache/pulumi/3.77.1/x64/pulumi version
v3.77.1
Pulumi version 3.77.1 is already installed on this machine. Skipping download
Logging into azblob://pulumistatecontainerdev
/home/runner/work/_actions/pulumi/actions/v4/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/errors.js:77
: new CommandError(result);
^
CommandError: code: -2
stdout:
stderr: Command failed with exit code 255: pulumi stack select --stack dev --non-interactive
error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions
err?: Error: Command failed with exit code 255: pulumi stack select --stack dev --non-interactive
error: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: