Is there any best practices around how to manage provider credentials in Pulumi? We recently needed to update some provider credentials (datadog) where the old credentials were revoked. Our stack explicitly created a provider instead of using the default provider, and the refresh operation failed because I believe it was using the old credentials that were saved in the state file. I think we can fix this by running up to update the provider credentials, but ideally we could roll away from revoked creds without also applying changes.

you're correct,

refresh

uses the state. You should be able to do

up

with

--target

to only update the datadog provider

Do you know if using the default provider would let us roll the cred and run a successful refresh?

unsure, but I think it would face the same problem