-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API Token is not updated in pulumi state #498
Comments
Hi @mdecalf I'm sorry about your troubles, let's try to figure it out together.
API token is not a resource, but
Could you please elaborate on that? Did you change the value in your program, then run
You need to run |
Hi @mikhailshilkov 👋 I'm running into this issue as well Our existing Cloudflare API token expired, so I updated the values in my
Not sure I ever would have figured out this bug without finding this issue. I assumed that the providers would always use the api token from the config.
If this is the case, it wasn't working for me. Does the new api token only get applied at the end of The solution for me was to manually delete the Cloudflare provider from state - not ideal Any help appreciated! |
Apologies for bumping an old issue, but I hit the exact same problem. The workaround was to run I feel this behavior is a bug: Pulumi tries to refresh/update the stack resources using the The current behavior is very frustrating to troubleshoot as there's no real indication from Pulumi about what the problem is, leading users down a rabbit hole trying to diagnose an apparent auth/API issue. It also easily results in Cloudflare rate-limiting your API requests which leads to further confusion. Changing stack settings usually has immediate effect, so the user expects any changes to the |
Hey folks, sorry you've hit issues here. Are you running This looks like pulumi/pulumi#4981 - the issue is that the credentials are saved in the state and refresh, unfortunately, does not run the program, so can't get the new credentials - it will always use the stale ones. The suggested workaround is not to save credentials in state - instead it is preferable to use environment variable to configure credentials for the provider. If that is not an option the running If neither of these works could I ask for a short program which reproduces the issue, as well as the sequence of commands which triggers it? |
@VenelinMartinov I've been using Running
I believe the trigger for the issue in these projects was hitting CF API rate limits due to running too many refresh operations in parallel, then attempting to replace the token (via rolling the existing one in the state). Could also occur due to token expiry as others have reported. |
For reference, I've used the following workarounds to fix the affected projects: WARNING: Exercise extreme care when attempting these workarounds! Ensure you backup your stack state & the CF records etc. before attempting. These workarounds may result in unexpected behavior, use at your own risk.
|
Thanks for expanding on the workaround @liam-auror! |
What happened?
In our golang controller we have a cloudflare provider instanced like that
We use it to create/update dns record
Last week we rotate our Cloudflare API token and restarted our app with the new token
All of our stacks are in failed status with an authentication error
{...pulumi:pulumi:Stack package-stack **failed** 1 error\n\nDiagnostics:\n cloudflare:index:Record (target-web-custom-domain):\n error: refreshing urn:pulumi:stack::package::cloudflare:index/record:Record::target-web-custom-domain: 1 error occurred:\n \t* Authentication error (10000)\n\n pulumi:pulumi:Stack (package-stack):\n error: update failed\n\nResources:\n 9 unchanged\n\nDuration: 3s`...}
So after many hours we found out what was wrong, the pulumi stack.json contains the token and unfortunately the old one
After pushing the new token into the object manually, it works
After looking at the successive changelogs & issues, I didn't see any mention about that. So, two questions:
Why is the API token, which is not a resource, is in the stack?
How can existing stacks use the new token?
Example
{...pulumi:pulumi:Stack package-stack **failed** 1 error\n\nDiagnostics:\n cloudflare:index:Record (target-web-custom-domain):\n error: refreshing urn:pulumi:stack::package::cloudflare:index/record:Record::target-web-custom-domain: 1 error occurred:\n \t* Authentication error (10000)\n\n pulumi:pulumi:Stack (package-stack):\n error: update failed\n\nResources:\n 9 unchanged\n\nDuration: 3s`...}
Output of
pulumi about
CLI
Version 3.70.1
Go Version go1.20.2
Go Compiler gc
Host
OS ubuntu
Version 20.04
Arch x86_64
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: