and give that service principal the perms on the storage obviously

No i did not set the ENV Vars, because it seems not needed with my Principal, I’m allready logged in via

az login

I can use to create Azure Resources with that Principal with no problems, have nothing to set, simply have to be logged in and selected the correct subscription. With that in mind I expected that

pulumi login <azblob://containername>

may also work and used the current user. That i may have to setup a service principal for CI Scenaries could be possible. But not on my machine with my credentials.

ah we use the same mechanism locally and on CI to avoid permissions mistakes. i've not used the azblob state at all so i don't know. we just put the whole lot in git

yes, git is the alternative, a repository with the restricted access for the state the project. (ironcally we don’t need the azure generated secrets in most of the times, also we only provide a SQL Server Admin Password because we have to, we use Managed Identity for most stuff).

yeah we throw all that in a keyvault but dont use it anywhere, msi also