Has anyone gotten `azurekeyvault``secrets provider working in github actions with the azure/login action setting up the CLI and oidc credentials? I’m bashing my head against it, I would expect

AZURE_KEYVAULT_AUTH_VIA_CLI: "true"

to make it work but it doesn’t seem to have any effect

I use azblob for state and azurekeyvault and it works in github actions for me.

- name: Login to Azure
  uses: azure/login@v2
  with:
    client-id: ${{ secrets.AZURE_CLIENT_ID }}
    tenant-id: ${{ secrets.AZURE_TENANT_ID }}
    subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Deploy Environment
  uses: pulumi/actions@v5
  with:
    command: up
    stack-name: test
    work-dir: app
    comment-on-summary: true
    cloud-url: <azblob://pulumi?storage_account=xXx>
    secrets-provider: <azurekeyvault://xXx.vault.azure.net/keys/pulumi>
  env:
    ARM_USE_OIDC: true
    ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
    ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
    ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

Thanks. I had an AZURE_CLIENT_ID env hanging around from a previous iteration, and that was causing the credentials to abort on the managedidentity credential provider before even attempting the cli credentials provider 😞 super unclear

If you deploy private github runners inside your vnet on azure, there are additional configuration you have to do, which were awkward to find. On the login, you have to add

APPSETTING_WEBSITE_SITE_NAME: azcli-workaround

as an environment variable, or it will use the wrong login url. On the Pulumi run, I had to specify both oidc and a client secret to make it work because it doesn’t seem to authenticate the same way for secrets and state store as it does for the run.