I'm running a azure devops pipeline. And am getting an issue related to pulumi not finding my stack which I keep in blob storage. below the result from runnin gmy diagnosis bash script. + pulumi login --cloud-url azblob://{redacted} Logged in to {redacted} as vsts (azblob://{redacted}) + pulumi whoami vsts + pulumi stack ls NAME LAST UPDATE RESOURCE COUNT 2021-04-19T00:43:47.2541639Z + pulumi stack select {mystack-redacted} 2021-04-19T00:43:47.2550943Z error: constructing secrets manager of type "cloud": open keeper azurekeyvault://{redacted}.vault.azure.net/keys/{redacted}/{redacted}: failed to Dial default KeyVault: failed to get oauth token from certificate auth: failed to decode pkcs12 certificate while creating spt: pkcs12: error reading P12 data: asn1: structure error: tags don't match (16 vs {class:1 tag:13 length:73 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} pfxPdu @2 So, I use a service principal and certificate with password. Now, I know that the stack {mystack-redacted} exists in my azure blob storage pulumi state. I can access it from my local as myself (fcavaco)... as Devops runs as vsts for the user, I am not sure that is the reason why pulumi fails to find the state file...?! Check below the script am using to try and diagnose what's going on: export AZURE_KEYVAULT_AUTH_VIA_CLI=false; export RESOURCE_GROUP_NAME=$(PULUMISTORAGEACCOUNTRESOURCEGROUP) export AZURE_STORAGE_ACCOUNT=${AZURE_STORAGE_ACCOUNT} export AZURE_STORAGE_KEY=${AZURE_STORAGE_KEY} export ARM_SUBSCRIPTION_ID=${SUBSCRIPTION_ID} export ARM_CLIENT_ID=${servicePrincipalId} export ARM_CLIENT_CERTIFICATE_PATH='./cert.pfx' export ARM_CLIENT_CERTIFICATE_PASSWORD=$(MAINCLIENTCERTIFICATEPASSWORD) export ARM_TENANT_ID=${tenantId} export AZURE_CLIENT_ID=${servicePrincipalId} export AZURE_CERTIFICATE_PATH='./cert.pfx' export AZURE_CERTIFICATE_PASSWORD=$(MAINCLIENTCERTIFICATEPASSWORD) export AZURE_TENANT_ID=${tenantId} export AZURE_SUBSCRIPTION_ID=${SUBSCRIPTION_ID} export STORAGE_CONTAINER_NAME=$(PULUMISTORAGECONTAINERNAME) az account show #this does return expected principal id. echo "##vso[task.prependpath]/home/vsts/.pulumi/bin" pulumi login --cloud-url "azblob://${STORAGE_CONTAINER_NAME}" --cwd $PWD ; pulumi whoami pulumi stack ls pulumi stack select ${{ variables.pulumi_stack }} pulumi preview --diff -d --cwd $PWD what am I doing wrong? or missing? any help will be much appreciated. Francisco

if you're using

azblob://

,

AZURE_KEYVAULT_AUTH_VIA_CLI

needs to be set to

true

@billowy-army-68599 that goes against what's written in all pulumi content have seen ? locally, if I login via a service principal in az client, when set to true, it will complain cannot do as a service principal user...?! but I will try and came back to this...thanks.