# azure
I have run into this with dynamic providers, where pulumi must be able to refresh using only information from the statefile. I managed to avoid serializing secrets by serializing code that would read the secrets from env variables, and then wrapping pulumi in another process to do the auth and set those secrets.
I am praying that the native provider doesn't have to do this. All of the resources in this stack use the same provider, which has always used an azure-attached managed identity on the deployment VM. If there's anything serialized, I'm hoping it's an instruction to "Go ask the IMDS for a token"
Are you by any chance setting
, f.x. via ESC?