I am trying to give Deployments a spin and have questions about authenticating to Azure with OIDC. In my shop I have instituted the practice of disabling default providers to ensure cloud provider details (Azure tenant and subscription) are explicitly specified for a stack, so that we aren't relying on ambient state on the workstation of the person updating the stack. We do, however, want to be able to use ambient login state, so that team members can run stack updates under their Azure identity. This works fine for updates from an individual's workstation. For CI/CD using a service principal with OIDC authentication disabling the default Azure provider means (we've learned through trial and error) that environment variables don't work, we have to set azure-native:useOidc, azure-native:oidcToken, and azure-native:clientId in the stack config. We have done this as part of a script running the desired pulumi cli command. How would the same thing be accomplished in Pulumi Deployments? Environment variables can be set in the stack's deployment settings, but how about

pulumi config set

commands?

You can run

pulumi config set

commands as pre-run commands in the stack's deployment settings. Or you can use ESC's azure-login provider and pass in the environment in your stack config to handle the OIDC relationship and avoid setting this through deployment settings.