Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When using CLI auth, the provider should warn about mismatched Azure environments #3274

Closed
thomas11 opened this issue May 11, 2024 · 0 comments · Fixed by #3281
Closed

When using CLI auth, the provider should warn about mismatched Azure environments #3274

thomas11 opened this issue May 11, 2024 · 0 comments · Fixed by #3281
Assignees
@thomas11
Labels
area/auth impact/usability Something that impacts users' ability to use the product easily and intuitively kind/enhancement Improvements or new features resolution/fixed This issue was fixed

Comments

@thomas11
Copy link
Contributor

thomas11 commented May 11, 2024
edited

Prompted by #3268.

Azure has different clouds or "environments" like public and usgovernment. The environment of a Pulumi program cab be configured via azure-native:environment. However, when using the Azure CLI to authenticate, the provider will always use the environment we're logged in to, via az login.

This is somewhat unavoidable, since otherwise, Pulumi would need to change the CLI configuration. Both the subscription and the auth token are, to my knowledge, separate per cloud. Our authentication library uses az account show to determine the currently active subscription (from az login), and then takes the cloud from the subscription as well.

❯ az account show
{
  "environmentName": "AzureCloud",    <--- regardless of pulumi config
}

Therefore, azure-native:environment has no effect when using the CLI to authenticate. For all other auth methods, this problem should not exist since there's no local state lookup like az account show, everything is explicitly configured.

We should warn or error when the configured environment is different from the one az is logged into.
@thomas11 thomas11 mentioned this issue May 11, 2024
Closed
@thomas11 thomas11 added kind/enhancement Improvements or new features area/auth impact/usability Something that impacts users' ability to use the product easily and intuitively labels May 11, 2024
@thomas11 thomas11 mentioned this issue May 13, 2024
Merged
thomas11 added a commit that referenced this issue May 14, 2024
@thomas11
Fail early on mismatched environments/clouds (#3281)
b47bf2e 
Quoting the code comment: CLI authentication can only use the
environment that the CLI is configured for. Fail early if that's not the
one from config, to avoid obscure errors about missing subscriptions or
endpoints later.

Resolves #3274 

Sample shell session:
```
❯ pulumi config -s gov | rg environ
azure-native:environment  usgovernment

❯ az account show | rg environ
  "environmentName": "AzureCloud",

❯ PATH=$HOME/pulumi/pan/bin:$PATH pulumi up -s gov
Previewing update (gov)

     Type                                     Name              Plan       Info
 +   pulumi:pulumi:Stack                      azn-3268-env-gov  create     3 warnings
     └─ azure-native:resources:ResourceGroup  resourceGroup                1 error

Diagnostics:
  azure-native:resources:ResourceGroup (resourceGroup):
    error: The configured Azure environment 'usgovernment' does not match the determined environment 'public'.
    When authenticating using the Azure CLI, the configured environment needs to match the one shown by 'az account show'.
    You can change environments using 'az cloud set --name <environment>'.
```
@pulumi-bot pulumi-bot added the resolution/fixed This issue was fixed label May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thomas11 thomas11

Labels
area/auth impact/usability Something that impacts users' ability to use the product easily and intuitively kind/enhancement Improvements or new features resolution/fixed This issue was fixed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fail early on mismatched environments/clouds pulumi/pulumi-azure-native
2 participants
@thomas11 @pulumi-bot