Hello everyone, I am maintaining pulumi stack state in the self managed backend. I made some modification in the Azure ADO pipeline pulumi tasks to use

--secrets-provider

but the pulumi task always show the following error

error: getting stack configuration: get stack secrets manager: passphrase must be set with PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE environment variables

. Below is my pulumi task in the ADO pipeline. Could you please tell me why do we need to set ``PULUMI_CONFIG_PASSPHRASE` in the environment variable when I am trying to use Azure key vault as the secret provider?

task: Pulumi@1
  displayName: 'Pulumi Up (Namespace: ${{ parameters.namespace }})'
  retryCountOnTaskFailure: 3
  inputs:
    cwd: '$(Build.SourcesDirectory)/cicd/iac/'
    command: 'up'
    args: '--yes --config-file=$(CONFIG_FILE_PATH) --secrets-provider=$(KEY_VAULT_PULUMI_KEY)'
    loginArgs: '--cloud-url <azblob://pulumistacks?storage_account=$(STORAGE_ACCOUNT_NAME)>'
    stack: 'organization/test/virtual-${{ parameters.namespace }}'
    azureSubscription: $(PULUMI_STACK_SUBSCRIPTION)
    createStack: true
  env:
    AZURE_STORAGE_ACCOUNT: $(STORAGE_ACCOUNT_NAME)
    AZURE_STORAGE_KEY: $(STORAGE_ACCOUNT_KEY)
    AZURE_KEYVAULT_AUTH_VIA_CLI: "true"

Hey! I am also using Azure Devops and an azure storage account backend! I can't say I've setup the keyvault secrets provider yet though, so I'm not sure how much help I can be

Hi @fast-sandwich-30809, thank you for your reply. I understood that you can use either passphrase or azure key vault as a secret-provider for the pulumi stack. I couldn't find an example where it has been done or used in the pipeline. I would appreciate any information you might have.