No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hey there! I am trying to configure a PKO stack with an Azure blob storage account backend that authenticates via OIDC with the environment variables as described in the <https://www.pulumi.com/registry/packages/azure-native/installation-configuration/#oidc-pulumi-provider-configuration|official documentation>, but it seems that the pulumi-kubernetes-operator-controller-manager pod actually performs all of the authentication and deployment steps towards Azure. From what I gathered in the docs for V2 is that all stack operations should be done from within the workspace pods, but that doesn't seem to be the case?

The problem that I am facing now is that authentication fails unless I specifically grant <https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview?tabs=dotnet|workload identity access> for the controller-manager pod service account instead of the workspace pod. The same applies for setting `envRefs` variables such as `ARM_OIDC_TOKEN_FILE_PATH` , unless I also configure workload identities for the controller-manager pod.

You will probably get a better response about this by making a github issue.

Okay, created an issue here: <https://github.com/pulumi/pulumi-kubernetes-operator/issues/876>