Provider does not automatically pick up credentials in Azure Shell

[lukehoban]

When using the Azure Shell in the Azure Portal (or from VS Code), you get ambient credentials for you Azure subscription which allow tools like az to work without need for additional login/configuration.

However, the Pulumi Azure Provider does not appear to pick these up automatically:

luke@Azure:~/examples/azure-js-webserver$ pulumi up
Previewing update of stack 'testme'
Previewing changes:

     Type                    Name                    Plan          Info
 *   global                  global                  no change     1 error
 +   └─ pulumi:pulumi:Stack  webserver-azure-testme  create

Diagnostics:
  global: global
    error: Azure CLI Authorization Tokens were not found. Please ensure the Azure CLI is installed and then log-in with `az login`.

error: an error occurred while advancing the preview
luke@Azure:~/examples/azure-js-webserver$ az login
Cloud Shell is automatically authenticated under the initial account signed-in with. Run 'az login' only if you need to use a different account
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code SOMESTRING to authenticate.

[mikhailshilkov]

So, this is still a problem today. I think it's important to make pulumi work in Cloud Shell for better getting started experience. Ideally, I would love to see pulumi pre-installed there the same way terraform is.

To work around the problem, I had to set two config values.

First, pulumi config set azure:useMsi true leads pulumi up to

    error: Unable to list provider registration status, it is possible that this is due 
to invalid credentials or the service principal does not have permission to use the 
Resource Manager API, 
Azure error: resources.ProvidersClient#List: Failure responding to request:StatusCode=404 
-- Original Error: autorest/azure: Service returned an error. 
Status=404 Code="SubscriptionNotFound" 
Message="The subscription 'providers' could not be found."

which was solved by pulumi config set azure:subscriptionId <guid>. That's weird because az account show already displays the proper subscription.

Terraform doesn't seem to need an explicit configuration to use MSI / nor the subscription ID. It seems to be responding to MSI_ENDPOINT environment variable.

Questions:

1. Should Pulumi default to useMsi=true if MSI_ENDPOINT is set?
2. What is the source of The subscription 'providers' could not be found, what does terraform do to pick it up, and can we copy this?

[mikhailshilkov]

For the reference, here is the script that I use in Azure Cloud Shell to make pulumi work without any additional configs in stack:

#!/usr/bin/env bash

set -e

export ARM_SUBSCRIPTION_ID=`az account show --output=json | jq -r -M '.id'`
export ARM_TENANT_ID=`az account show --output=json | jq -r -M '.tenantId'`

export ARM_MSI_ENDPOINT=$MSI_ENDPOINT
if [ -z "$ARM_MSI_ENDPOINT" ]; then
  export ARM_USE_MSI=false
else
  export ARM_USE_MSI=true
fi

~/.pulumi/bin/pulumi "$@"

I basically copied it from the pre-installed terraform script.

This issue exists for one year and is still not assigned to any release... Shall we at least agree on how it should eventually work?

Some options:

• Do nothing in code, agree with Microsoft to put pulumi into the cloud shell by default together with the script above (so, same as Terraform)
• Do nothing in code, create a separate installation script of Pulumi for the cloud shell, reference it in the docs
• Change the code to detect the cloud shell (e.g. by env AZURE_HTTP_USER_AGENT="cloud-shell/1.0"), auto-adjust Terraform configuration
• Change the code to default to MSI if MSI_ENDPOINT env variable is defined, populate subscription and tenant ID accordingly

@lukehoban @jen20

[lukehoban]

If the fourth option is something we can do in our layer, that feels by far the best. Have you looked into whether that might be possible?

If not solvable in our layer, perhaps makes sense to contribute as an improvement to the upstream Azure Terraform Provider? It may help them to avoid needing that awkward wrapper as well.