Hi! Has anyone used the Azure OIDC federated credentials when deploying Pulumi applications from GitHub Actions? I guess I've done something wrong, but can't figure out what... OIDC seems to work since I can run

azure/login@v1

without issues. Getting this error message:

/home/runner/work/_actions/pulumi/actions/v4/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/errors.js:77
                      : new CommandError(result);
  ^
  CommandError: code: -2
   stdout: 
   stderr: Command failed with exit code 255: pulumi preview --diff --exec-agent pulumi/actions@v3 --color auto --exec-kind auto.local --event-log /tmp/automation-logs-preview-y7QDVg/eventlog.txt --stack tst --non-interactive
  warning: GOCOVERDIR not set, no coverage data emitted
  error: getting stack configuration: get stack secrets manager: secrets (code=InvalidArgument): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://***.<http://azure.net/keys/pulumi-encryption-key-tst//decrypt?api-version=7.0|azure.net/keys/pulumi-encryption-key-tst//decrypt?api-version=7.0>: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>
   err?: Error: Command failed with exit code 255: pulumi preview --diff --exec-agent pulumi/actions@v3 --color auto --exec-kind auto.local --event-log /tmp/automation-logs-preview-y7QDVg/eventlog.txt --stack tst --non-interactive
  warning: GOCOVERDIR not set, no coverage data emitted
  error: getting stack configuration: get stack secrets manager: secrets (code=InvalidArgument): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://***.<http://vault.azure.net/keys/pulumi-encryption-key-tst//decrypt?api-version=7.0|vault.azure.net/keys/pulumi-encryption-key-tst//decrypt?api-version=7.0>: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"} Endpoint <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>
  
      at Object.createCommandError (/home/runner/work/_actions/pulumi/actions/v4/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/errors.js:77:1)
      at Object.<anonymous> (/home/runner/work/_actions/pulumi/actions/v4/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/cmd.js:76:1)
      at Generator.throw (<anonymous>)
      at rejected (/home/runner/work/_actions/pulumi/actions/v4/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/cmd.js:19:1)
      at runMicrotasks (<anonymous>)
      at processTicksAndRejections (node:internal/process/task_queues:96:5)

This is what the step looks like in GitHub Actions:

- name: "Pulumi preview"
	uses: pulumi/actions@v4
	with:
	  pulumi-version: 3.96.1
	  command: preview
	  stack-name: ${{ inputs.stack_name }}
	  cloud-url: ${{ inputs.stack_url }}
	  comment-on-pr: true
	  diff: true
	  work-dir: ${{ inputs.working_directory }}
	env:
	  ARM_USE_OIDC: "true"

I assume you're using Azure Key Vault for the secrets? Have you set

AZURE_KEYVAULT_AUTH_VIA_CLI=true

in the env? The SDK won't pickup the CLI login without that. Edit: The error doesn't look exactly like the ones I've ran into, so I'm just guessing.

Yeah, thanks for trying to help, but I don't think that's the issue 🤔