Hi everyone, I am using azure storage blob for saving pulumi stack state as a backend. I use pulumi task in the Azure DevOps pipeline to perform any of the pulumi commands to update the state in any of our environments. Below is the task where I am doing pulumi commands as part of the bash script. I am trying to use

azurekeyvault

as a secret provider. From the observation of the below task, first it set the secret provider as an azurekeyvault but when

pulumi up

starts running, and during the run it changes the secret provider to

passphrase

. I am not able to understand why it is changing the secret provider from azurekeyvault to passphrase. Can someone please let me know the reason?

- task: AzureCLI@2
  displayName: 'Pulumi stack select and up'
  inputs:
    azureSubscription: '${{ parameters.azureSubscription }}'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    addSpnToEnvironment: true
    inlineScript: |
      pulumi login --cloud-url azblob://$(PULUMI_STACKS_BLOB_CONTAINER)?storage_account=$(AMAP_DEV_STORAGE_ACCOUNT)
      cd $(Build.SourcesDirectory)/cicd/iac/
      pulumi stack select organization/ruc/$(stackName)
      pulumi stack change-secrets-provider $(AMAP_DEV_PULUMI_KEY_URL)
      pulumi up --yes --config-file=$(CONFIG_FILE_PATH)
  env:
    AZURE_STORAGE_ACCOUNT: $(AMAP_DEV_STORAGE_ACCOUNT)
    AZURE_STORAGE_KEY: $(AMAP_DEV_STORAGE_ACCOUNT_KEY)
    ARM_CLIENT_ID: $(ARM-CLIENT-ID)
    ARM_TENANT_ID: $(ARM-TENANT-ID)
    ARM_CLIENT_SECRET: $(ARM-CLIENT-SECRET)
    ARM_ENVIRONMENT: '${{ variables.cloudEnvironment }}'
    AZURE_KEYVAULT_AUTH_VIA_CLI: 'true'
    PULUMI_CONFIG_PASSPHRASE:

I see a reliance on

AMAP_DEV_PULUMI_KEY_URL

as an env var in the script, but I don't see it being set in the

env:

block - that might be it?