I have a Pulumi - program which works fine on my Dev-Machine. Configuarion is stored in Azure, also the Resources created are being stored in Azure.
To run this I set the following environment variables:
SET ARM_SUBSCRIPTION_ID=<id>
Locally I login to Azure using az login which then asks me for my credentials. After that I can use pulumi up to update changes in Azure. This all works without any issues.
Now I want to achieve the same thing in Azure Devops using a release-pipeline. I use the "Azure CLI"- Task with correctly configured ARM-Connection. The task contains pulumi up -s develop --yes (where "develop" is my pulumi-stack)
I can see in the logs that the Azure-login works as expected, but pulumi throws the following error: error:
Error building AzureRM Client: Authenticating using the Azure CLI is only supported as a User (not a Service Principal). To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal' auth method - instructions for which can be found here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret
While the error is quite clear and even contains a url to a solution to solve this: This does not really help me because I do not use terraform directly but pulumi instead.
TL;DR: How do I confgure pulumi cli to use a service principal authentication with Azure?
There are two options to configure Pulumi to authenticate with a Service Principal:
Set the environment variables ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_TENANT_ID, and ARM_SUBSCRIPTION_ID, or
Set them using configuration
pulumi config set azure:clientId <clientID>
pulumi config set azure:clientSecret <clientSecret> --secret
pulumi config set azure:tenantId <tenantID>
pulumi config set azure:subscriptionId <subscriptionId>
Reference: Service Principal Authentication