Use different ACCESS_TOKENS for different Stacks
Closed this issue ยท 3 comments
What happened?
I set up 2 Stacks with 2 different Stack Resources. I used EnvRefs to specify my Pulumi Access Token:
envRefs:
PULUMI_ACCESS_TOKEN:
type: Literal
literal:
value: <redacted>
I also tried setting the token via SecretRef
PULUMI_ACCESS_TOKEN:
type: Secret
secret:
name: tokens
key: accessToken
If i got only one Stack or if i can access all Stacks with the same token, it works perfectly fine. If i have two Stacks that need two different Access Tokens, it does not work anymore.
It always uses the Token from the first Stack it runs (after restarting the pod), and keeps using it for all Stacks it processes. It errors with "Organisation not found" and if i have a look at the "wrong" organisation, it tried to create the Stack in the wrong org because it havent found it there. Even though i specified the correct Tokens in each Stack Resource.
Expected Behavior
Use the correct Token.
Steps to reproduce
Create Resources as described.
Output of pulumi about
I run version 1.13.0.
Additional context
No response
Contributing
Vote on this issue by adding a ๐ reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Hi @breuerfelix thanks for raising this issue with us.
I've escalated this internally to investigate further.
The root cause of the issue seems to be that the Pulumi CLI gives lower priority to PULUMI_ACCESS_TOKEN
than to any existing credentials in ~/.pulumi/credentials.json
. In other words, the first access token that is used is cached and reused. Note that the credentials cache is shared for all stacks.
See: pulumi/pulumi#13919
Are you going to release a new Version soon? Since may there has only been one new Github Tag and i really wanna rollout these new changes in order to get my cluster functioning again.
BTW thanks for the fix!