ESC environment variables not automatically recognized by Azure CLI #603
Description
Problem
When using Pulumi ESC to provide Azure credentials via OIDC, Pulumi operations fail even after properly configuring the ESC environment in Pulumi.dev.yaml. The environment variables (ARM_*) are set correctly but are not recognized by the Azure authentication layer.
Description
Pulumi ESC sets the following environment variables for Azure authentication:
ARM_CLIENT_IDARM_OIDC_TOKENARM_TENANT_IDARM_SUBSCRIPTION_IDARM_USE_OIDC=true
However, setting the ESC environment in Pulumi.dev.yaml is NOT sufficient to run Pulumi operations.
Current Broken Workflow
# Pulumi.dev.yaml
environments:
- pulumi-idp/auth# Verify environment variables are set
pulumi env open pulumi-idp/auth -f shell # ✅ Shows all ARM_* variables
# Try to run Pulumi
pulumi preview # ❌ FAILS - Authentication error
# Also fails with explicit env run
pulumi env run pulumi-idp/auth -i -- pulumi preview # ❌ FAILSRoot Cause
The Azure authentication layer does not respect the ARM_* environment variables. The Azure CLI must be explicitly logged in before Pulumi operations work, even though all required credentials are present in the environment.
Required Workaround
You must manually login to Azure CLI before running any Pulumi operations:
# Step 1: Login using ESC credentials
pulumi env run pulumi-idp/auth -i -- bash -c 'az login --service-principal -u "$ARM_CLIENT_ID" -t "$ARM_TENANT_ID" --federated-token "$ARM_OIDC_TOKEN"'
# Step 2: Now Pulumi operations work
pulumi preview
pulumi upImpact on User Experience
This fundamentally breaks the ESC value proposition for Azure users:
- ❌ Setting ESC environment in
Pulumi.dev.yamlis not sufficient - ❌ Users must discover the non-obvious workaround through trial and error
- ❌ Manual login required before every session or after token expiry
- ❌ Inconsistent with other cloud providers (AWS, GCP work seamlessly with ESC)
- ❌ Poor developer experience - ESC should "just work"
Expected Behavior
# Pulumi.dev.yaml
environments:
- pulumi-idp/authpulumi preview # ✅ Should work immediately
pulumi up # ✅ Should work immediatelySetting the ESC environment should be sufficient for all Pulumi operations.
Suggestions for Resolution
- ESC Auto-Login Hook: When ESC detects Azure
ARM_*variables, automatically perform Azure CLI login in the background - Native Authentication: Make Pulumi Azure Native provider authenticate directly using
ARM_*variables without requiring Azure CLI - Helper Command: Provide
pulumi esc login azurecommand to simplify the login process - Prominent Documentation: Document this critical limitation and required workaround
- Session Management: Persist Azure CLI login state within ESC session context
Comparison with Other Providers
| Provider | ESC Environment Works Out-of-the-Box |
|---|---|
| AWS | ✅ Yes |
| GCP | ✅ Yes |
| Azure | ❌ No - Requires manual CLI login |
Related Issue
See detailed technical discussion: pulumi/pulumi-azure-native#4428
Environment
- Pulumi ESC: Latest
- Pulumi CLI: Latest
- Azure CLI: 2.80.0
- Platform: macOS
This affects every Azure user trying to use Pulumi ESC for authentication.