Hello 🙂 Lately been getting errors when using pulumi locally, with remote backend in Azure. Whenever I run

pulumi refresh

it presents me with: error: Preview failed: OIDC authentication was requested via useOidc/ARM_USE_OIDC but no token or request URL were configured. See https://www.pulumi.com/registry/packages/azure-native/installation-configuration/#credentials for more information. Now, I am logged in locally with the

az cli

and set the right account. I also have owner permissions on these Subscriptions in Azure. My program is provisioning across one other subscription then the one i am logged in with, because we are trying to make a backup into another subscription. This code hasntt changed in half a year, but recently it stopped working locally. On CI/CD with Managed Identities, it still works.

pulumi about:

CLI
Version      3.144.1
Go Version   go1.23.4
Go Compiler  gc

Plugins
KIND      NAME          VERSION
resource  azure         6.14.0
resource  azure-native  2.79.0
resource  command       1.0.1
resource  docker        4.5.5
language  dotnet        3.71.1

Host
OS       darwin
Version  15.2
Arch     arm64

Hi, sorry you’re having issues here. This error is thrown when neither

ARM_OIDC_TOKEN

nor

ARM_OIDC_TOKEN_FILE_PATH

are set, or their pulumi config equivalents. Are you using Pulumi ESC? Could you 1. show us your auth-related configuration, whether it’s in pulumi config (

azure-native:…

) or env variable (

ARM_...

)? 2. See if setting the environment variable

PULUMI_ENABLE_AZCORE_BACKEND=false

makes a difference?

Hi, sorry for the late reply. We are not using ESC, no. our backend is hosted in the azure storage container. So we are using that to keep the state 🙂 We never had to set ARM_OIDC or the file path ever before. So im assuming it is something pulumi introduced lately? And by recently I mean in the last 8-9 months. For your questions: pulumi.yaml

name: backend-infrastructure
runtime: dotnet
description: This project contains infrastructure for the Backend

pulumi.local.yaml

encryptionsalt: v1...
config:
  azure-native:location: westeurope
  backend-infrastructure:AspDotnetEnv: Development
  azure-native:clientId: ....

As previously said, we never had to set anything here. it was working, as soon as we used az cli to login 🙂 we have not tried PULUMI_ENABLE_AZCORE_BACKEND yet

Thanks! We haven’t intentionally introduced any breaking changes. If I understand correctly, out of the supported auth methods, you’re using MSI in CI, and the Azure CLI locally? Like your error message _OIDC authentication was requested via useOidc/ARM_USE_OIDC_ says, the pulumi config

useOidc

or the env variable

ARM_USE_OIDC

must be set to true for you to get this error. I cannot imagine how a bug would cause this, but I could be wrong. The code is pretty simple and used by many users. Could you double-check your environment?

Im not sure how much more I can assist here without showing you data you are of course not supposed to see. Hm. but yes, CI/CD uses MSI, looking like this:

- name: Running Pulumi ${{ inputs.action }} ✨ ${{ inputs.environment }}
  uses: pulumi/actions@v6
  env:
    PULUMI_CONFIG_PASSPHRASE: ${{ secrets.passphrase }}
    AZURE_STORAGE_ACCOUNT: ${{ secrets.storageAccount }}
    AZURE_STORAGE_KEY: ${{ secrets.storageKey }}
    ARM_USE_OIDC: "true"
    ARM_TENANT_ID: ${{ secrets.tenantId }}
    ARM_CLIENT_ID: ${{ secrets.orchestratorClientId }}
    ARM_SUBSCRIPTION_ID: ${{ secrets.subscriptionId }}
    ARM_SKIP_PROVIDER_REGISTRATION: "true"
    USE_MSI: "true"
    USE_OIDC: "true"
  with:
    command: ${{ inputs.action }}
    stack-name: ${{ inputs.stack }}
    work-dir: ${{ inputs.workDir }}
    diff: true
    refresh: true
    upsert: true
    color: always
    pulumi-version: latest
    suppress-progress: true
    cloud-url: <azblob://qmpulumi-container>

Locally, we used to be able to do the following (sorry if too granular)

❯ export PULUMI_CONFIG_PASSPHRASE=redacted
❯ export AZURE_STORAGE_ACCOUNT=qmpulumi
❯ export AZURE_STORAGE_KEY=redacted
❯ az login
A web browser has been opened at ....
Retrieving tenants and subscriptions for the selection...
[Tenant and subscription selection]

No     Subscription name                     Subscription ID                       Tenant
-----  ------------------------------------  ------------------------------------  --------
[7] *  Dev                                                                         MAIN

The default is marked with an *; the default tenant is 'MAIN' and subscription is 'Dev' (Redacted).

Select a subscription and tenant (Type a number or Enter for no changes): 7

Tenant: MAIN
Subscription: Dev (Redacted)

  ~/w/repo/sa/b/s/Api on   main *55 ❯ pulumi login <azblob://qmpulumi-container>
Logged in to ... as ... (<azblob://qmpulumi-container>

❯ pulumi stack ls
NAME  LAST UPDATE     RESOURCE COUNT
631   7 months ago    29
774   6 months ago    20
779   6 months ago    0
837   5 months ago    0
dev*  25 minutes ago  33


❯ pulumi refresh
Previewing refresh (dev):
     Type                                           Name                                           Plan           Info
     pulumi:pulumi:Stack                            infrastructure-dev   running..      'dotnet build -nologo' completed successfully
     ├─ custom:resource                             DockerImage::dev
     ├─ azure-native:dbforpostgresql:Database       dev-db
 ~   ├─ azure-native:authorization:RoleAssignment   dev-dev-bkp-reader-roleassignment  refreshing.    error: Preview failed: OIDC authentication was requested v
     ├─ azure-native:authorization:RoleAssignment   container-keyvault-admin
 ~   ├─ azure:appservice:CustomHostnameBinding      dev                                refreshing.    error: Preview failed: 1 error occurred:
 ~   ├─ azure:appservice:CertificateBinding         dev                                refreshing.    error: Preview failed: 1 error occurred:
 ~   ├─ azure-native:authorization:RoleAssignment   dev-dev-bkp-msi-roleassignment     refreshing.    error: Preview failed: OIDC authentication was requested v
     ├─ azure-native:dbforpostgresql:FirewallRule   sqlFwRuleAllowAll
     ├─ azure-native:authorization:RoleAssignment   keyvault-administrator
     ├─ azure-native:dbforpostgresql:Administrator  administrator
 ~   ├─ azure-native:dataprotection:BackupVault     dev-dev-bkp-vault                  refreshing.    error: Preview failed: OIDC authentication was requested v
     ├─ azure-native:web:AppServicePlan             dev
     ├─ azure-native:dbforpostgresql:Server         dev-dev-server
 ~   ├─ azure-native:network:RecordSet              dev-txt                            refreshing.    error: Preview failed: OIDC authentication was requested v
     ├─ azure-native:resources:ResourceGroup        dev-dev
     ├─ azure-native:keyvault:Vault                 keyvault
     ├─ pulumi:providers:azure-native               dev-dev-bkp-subscription
     ├─ pulumi:pulumi:StackReference                organization/core-infrastructure/dev
 ~   ├─ docker-build:index:Image                    dev-image                          refreshing.
 ~   ├─ azure-native:dataprotection:BackupPolicy    dev-dev-bkp-policy                 refreshing.    error: Preview failed: OIDC authentication was requested v
     ├─ pulumi:providers:azure-native               dev
 ~   ├─ azure-native:resources:ResourceGroup        dev-dev-bkp-rg                     refreshing.    error: Preview failed: OIDC authentication was requested v
 ~   ├─ azure-native:authorization:RoleAssignment   dev-dev-bkp-ltr-backup-role        refreshing.    error: Preview failed: OIDC authentication was requested v
     ├─ azure-native:web:WebApp                     dev
     ├─ azure-native:authorization:RoleAssignment   keyvault-secrets-officer-group
 ~   ├─ azure-native:dataprotection:BackupInstance  dev-dev-bkp-instance               refreshing.    error: Preview failed: OIDC authentication was requested v
 ~   ├─ azure:appservice:ManagedCertificate         dev-managed-cert                   refreshing.    error: Preview failed: 1 error occurred:
 ~   └─ azure-native:network:RecordSet              dev-cname                          refreshing.    error: Preview failed: OIDC authentication was requested v

Resources:
    16 unchanged

Meaning, that this usually worked out of the box. However, the only "downside" is that we are doing the DNS in another subscription. But I am owner of both - so should not be an issue..

Thanks! A few points: • You can only use OIDC or MSI to authenticate, setting both to true doesn’t make sense. • The variables

USE_MSI

and

USE_OIDC

don’t do anything, to my knowledge, the correct ones are

ARM_USE_MSI

and

ARM_USE_OIDC

. • That means that in your CI setup, only

ARM_USE_OIDC

is set. That would explain why you get “OIDC authentication was requested via useOidc/ARM_USE_OIDC but no token or request URL were configured”, but that’s locally? • In your refresh output, I see two instances of

pulumi:providers:azure-native

. If you configure those in the code, the environment variables are disregarded.

Thanks for the feedback on the CI setup 😄 it all works, but I will remove the unused variables